hive-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Junjie Chen (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (HIVE-14372) Odd behavior with Beeline parsing server principal in Kerberized environment
Date Wed, 31 Aug 2016 00:40:20 GMT

    [ https://issues.apache.org/jira/browse/HIVE-14372?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15450614#comment-15450614
] 

Junjie Chen commented on HIVE-14372:
------------------------------------

Hi Vihang Karajgaonkar

I can reproduce case 1 and case 2, but cannot reproduce case 3. Can you run klist -k <keytab>
to check whether you added server hostname to some principle? Or could you please dump klist
-k <keytab>? 

Furthermore, if would be better if you can set beeline log level to debug and paste output
for case 1 and case 2. 

> Odd behavior with Beeline parsing server principal in Kerberized environment
> ----------------------------------------------------------------------------
>
>                 Key: HIVE-14372
>                 URL: https://issues.apache.org/jira/browse/HIVE-14372
>             Project: Hive
>          Issue Type: Bug
>          Components: Beeline
>            Reporter: Vihang Karajgaonkar
>            Assignee: Junjie Chen
>
> Case 1:
> I can replace the realm with any garbage realm, and it still works.
> {code}
> [root@c62-n3 ~]# beeline
> Beeline version 0.10.0-cdh4.2.0 by Apache Hive
> beeline> !connect jdbc:hive2://c62-n3.intuit.test:10000/;principal=hive/c62-n3.intuit.test@ABC.XYZ

> scan complete in 4ms
> Connecting to jdbc:hive2://c62-n3.intuit.test:10000/;principal=hive/c62-n3.intuit.test@ABC.XYZ
> Enter username for jdbc:hive2://c62-n3.intuit.test:10000/;principal=hive/c62-n3.intuit.test@ABC.XYZ:

> Enter password for jdbc:hive2://c62-n3.intuit.test:10000/;principal=hive/c62-n3.intuit.test@ABC.XYZ:

> Connected to: Hive (version 0.10.0)
> Driver: Hive (version 0.10.0-cdh4.2.0)
> Transaction isolation: TRANSACTION_REPEATABLE_READ
> 0: jdbc:hive2://c62-n3.intuit.test:10000/> show tables;
> -----------
> tab_name
> -----------
> t1
> t2
> test
> -----------
> 3 rows selected (1.749 seconds)
> 0: jdbc:hive2://c62-n3.intuit.test:10000/>
> {code}
> Case 2:
> I can keep the garbage realm, but if I use a different hostname (notice I've truncated
it to c62-n3.intuit instead of c62-n3.intuit.test), it fails (as it should) but the error
message is not at all user-friendly.
> {code}
> [root@c62-n3 ~]# beeline
> Beeline version 0.10.0-cdh4.2.0 by Apache Hive
> beeline> !connect jdbc:hive2://c62-n3.intuit.test:10000/;principal=hive/c62-n3.intuit@ABC

> scan complete in 4ms
> Connecting to jdbc:hive2://c62-n3.intuit.test:10000/;principal=hive/c62-n3.intuit@ABC
> Enter username for jdbc:hive2://c62-n3.intuit.test:10000/;principal=hive/c62-n3.intuit@ABC:

> Enter password for jdbc:hive2://c62-n3.intuit.test:10000/;principal=hive/c62-n3.intuit@ABC:

> 13/06/10 08:34:29 ERROR transport.TSaslTransport: SASL negotiation failure
> javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid
credentials provided (Mechanism level: Server not found in Kerberos database (7) - UNKNOWN_SERVER)]
> at com.sun.security.sasl.gsskerb.GssKrb5Client.evaluateChallenge(GssKrb5Client.java:194)
> at org.apache.thrift.transport.TSaslClientTransport.handleSaslStartMessage(TSaslClientTransport.java:94)
> at org.apache.thrift.transport.TSaslTransport.open(TSaslTransport.java:253)
> at org.apache.thrift.transport.TSaslClientTransport.open(TSaslClientTransport.java:37)
> at org.apache.hadoop.hive.thrift.client.TUGIAssumingTransport$1.run(TUGIAssumingTransport.java:52)
> at org.apache.hadoop.hive.thrift.client.TUGIAssumingTransport$1.run(TUGIAssumingTransport.java:49)
> at java.security.AccessController.doPrivileged(Native Method)
> at javax.security.auth.Subject.doAs(Subject.java:396)
> at org.apache.hadoop.security.UserGroupInformation.doAs(UserGroupInformation.java:1408)
> at org.apache.hadoop.hive.thrift.client.TUGIAssumingTransport.open(TUGIAssumingTransport.java:49)
> at org.apache.hive.jdbc.HiveConnection.openTransport(HiveConnection.java:156)
> at org.apache.hive.jdbc.HiveConnection.<init>(HiveConnection.java:96)
> at org.apache.hive.jdbc.HiveDriver.connect(HiveDriver.java:104)
> at java.sql.DriverManager.getConnection(DriverManager.java:582)
> at java.sql.DriverManager.getConnection(DriverManager.java:185)
> at org.apache.hive.beeline.DatabaseConnection.connect(DatabaseConnection.java:152)
> at org.apache.hive.beeline.DatabaseConnection.getConnection(DatabaseConnection.java:193)
> at org.apache.hive.beeline.Commands.connect(Commands.java:965)
> at org.apache.hive.beeline.Commands.connect(Commands.java:896)
> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
> at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
> at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
> at java.lang.reflect.Method.invoke(Method.java:597)
> at org.apache.hive.beeline.ReflectiveCommandHandler.execute(ReflectiveCommandHandler.java:66)
> at org.apache.hive.beeline.BeeLine.dispatch(BeeLine.java:755)
> at org.apache.hive.beeline.BeeLine.begin(BeeLine.java:631)
> at org.apache.hive.beeline.BeeLine.mainWithInputRedirection(BeeLine.java:380)
> at org.apache.hive.beeline.BeeLine.main(BeeLine.java:364)
> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
> at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
> at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
> at java.lang.reflect.Method.invoke(Method.java:597)
> at org.apache.hadoop.util.RunJar.main(RunJar.java:208)
> Caused by: GSSException: No valid credentials provided (Mechanism level: Server not found
in Kerberos database (7) - UNKNOWN_SERVER)
> at sun.security.jgss.krb5.Krb5Context.initSecContext(Krb5Context.java:663)
> at sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:230)
> at sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:162)
> at com.sun.security.sasl.gsskerb.GssKrb5Client.evaluateChallenge(GssKrb5Client.java:175)
> ... 32 more
> Caused by: KrbException: Server not found in Kerberos database (7) - UNKNOWN_SERVER
> at sun.security.krb5.KrbTgsRep.<init>(KrbTgsRep.java:64)
> at sun.security.krb5.KrbTgsReq.getReply(KrbTgsReq.java:185)
> at sun.security.krb5.internal.CredentialsUtil.serviceCreds(CredentialsUtil.java:294)
> at sun.security.krb5.internal.CredentialsUtil.acquireServiceCreds(CredentialsUtil.java:106)
> at sun.security.krb5.Credentials.acquireServiceCreds(Credentials.java:557)
> at sun.security.jgss.krb5.Krb5Context.initSecContext(Krb5Context.java:594)
> ... 35 more
> Caused by: KrbException: Identifier doesn't match expected value (906)
> at sun.security.krb5.internal.KDCRep.init(KDCRep.java:133)
> at sun.security.krb5.internal.TGSRep.init(TGSRep.java:58)
> at sun.security.krb5.internal.TGSRep.<init>(TGSRep.java:53)
> at sun.security.krb5.KrbTgsRep.<init>(KrbTgsRep.java:46)
> ... 40 more
> org.apache.thrift.transport.TTransportException: GSS initiate failed
> at org.apache.thrift.transport.TSaslTransport.sendAndThrowMessage(TSaslTransport.java:221)
> at org.apache.thrift.transport.TSaslTransport.open(TSaslTransport.java:297)
> at org.apache.thrift.transport.TSaslClientTransport.open(TSaslClientTransport.java:37)
> at org.apache.hadoop.hive.thrift.client.TUGIAssumingTransport$1.run(TUGIAssumingTransport.java:52)
> at org.apache.hadoop.hive.thrift.client.TUGIAssumingTransport$1.run(TUGIAssumingTransport.java:49)
> at java.security.AccessController.doPrivileged(Native Method)
> at javax.security.auth.Subject.doAs(Subject.java:396)
> at org.apache.hadoop.security.UserGroupInformation.doAs(UserGroupInformation.java:1408)
> at org.apache.hadoop.hive.thrift.client.TUGIAssumingTransport.open(TUGIAssumingTransport.java:49)
> at org.apache.hive.jdbc.HiveConnection.openTransport(HiveConnection.java:156)
> at org.apache.hive.jdbc.HiveConnection.<init>(HiveConnection.java:96)
> at org.apache.hive.jdbc.HiveDriver.connect(HiveDriver.java:104)
> at java.sql.DriverManager.getConnection(DriverManager.java:582)
> at java.sql.DriverManager.getConnection(DriverManager.java:185)
> at org.apache.hive.beeline.DatabaseConnection.connect(DatabaseConnection.java:152)
> at org.apache.hive.beeline.DatabaseConnection.getConnection(DatabaseConnection.java:193)
> at org.apache.hive.beeline.Commands.connect(Commands.java:965)
> at org.apache.hive.beeline.Commands.connect(Commands.java:896)
> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
> at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
> at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
> at java.lang.reflect.Method.invoke(Method.java:597)
> at org.apache.hive.beeline.ReflectiveCommandHandler.execute(ReflectiveCommandHandler.java:66)
> at org.apache.hive.beeline.BeeLine.dispatch(BeeLine.java:755)
> at org.apache.hive.beeline.BeeLine.begin(BeeLine.java:631)
> at org.apache.hive.beeline.BeeLine.mainWithInputRedirection(BeeLine.java:380)
> at org.apache.hive.beeline.BeeLine.main(BeeLine.java:364)
> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
> at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
> at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
> at java.lang.reflect.Method.invoke(Method.java:597)
> at org.apache.hadoop.util.RunJar.main(RunJar.java:208)
> Error: Invalid URL: jdbc:hive2://c62-n3.intuit.test:10000/;principal=hive/c62-n3.intuit@ABC
(state=08S01,code=0)
> {code}
> Case 3:
> If I truncate the hostname portion of the principal to the shortname (hive/c62-n3), it
works. This should fail, since the principal 'hive/c62-n3' does not exist.
> {code}
> [root@c62-n3 ~]# beeline
> Beeline version 0.10.0-cdh4.2.0 by Apache Hive
> beeline> !connect jdbc:hive2://c62-n3.intuit.test:10000/;principal=hive/c62-n3@ABC

> scan complete in 3ms
> Connecting to jdbc:hive2://c62-n3.intuit.test:10000/;principal=hive/c62-n3@ABC
> Enter username for jdbc:hive2://c62-n3.intuit.test:10000/;principal=hive/c62-n3@ABC:

> Enter password for jdbc:hive2://c62-n3.intuit.test:10000/;principal=hive/c62-n3@ABC:

> Connected to: Hive (version 0.10.0)
> Driver: Hive (version 0.10.0-cdh4.2.0)
> Transaction isolation: TRANSACTION_REPEATABLE_READ
> 0: jdbc:hive2://c62-n3.intuit.test:10000/> show tables;
> -----------
> tab_name
> -----------
> t1
> t2
> test
> -----------
> 3 rows selected (1.553 seconds)
> 0: jdbc:hive2://c62-n3.intuit.test:10000/>
> {code}



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message