hive-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Junjie Chen (JIRA)" <j...@apache.org>
Subject [jira] [Comment Edited] (HIVE-14372) Odd behavior with Beeline parsing server principal in Kerberized environment
Date Thu, 08 Sep 2016 07:22:20 GMT

    [ https://issues.apache.org/jira/browse/HIVE-14372?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15473060#comment-15473060
] 

Junjie Chen edited comment on HIVE-14372 at 9/8/16 7:21 AM:
------------------------------------------------------------

Hi [~vihangk1]

Ether the JDK API createSaslClient do not accept the realm parameter,  see: createSaslClient(String[]
mechanisms, String authorizationId, String protocol, String serverName, Map<String,?>
props, CallbackHandler cbh) or underlying security provider com.sun.security.sasl.Provider
(GssKrb5Client.java in com.sun.security.sasl.gsskerb.GssKrb5Client) do not accept realm parameter,
Since Kerberos V5 mechanism will map hostname to canonical principal format in three ways
(refer to [1] and [2]). For example,  the underlying security provider will read your kerberos
configuration krb5.conf to generate a realm through the [domain_realm] section. 

Currently, though the hive code check whether there is a realm part, it doesn't use it at
all. I think the realm check should be remove according to java API definition, and user could
configure realm in krb5.conf.  what do you think?

[1]: https://web.mit.edu/kerberos/krb5-1.13/doc/admin/realm_config.html 
[2]: https://docs.oracle.com/javase/8/docs/technotes/guides/security/jgss/single-signon.html


was (Author: junjie):
Hi ~Vihang Karajgaonkar

Ether the JDK API createSaslClient do not accept the realm parameter,  see: createSaslClient(String[]
mechanisms, String authorizationId, String protocol, String serverName, Map<String,?>
props, CallbackHandler cbh) or underlying security provider com.sun.security.sasl.Provider
(GssKrb5Client.java in com.sun.security.sasl.gsskerb.GssKrb5Client) do not accept realm parameter,
Since Kerberos V5 mechanism will map hostname to canonical principal format in three ways
(refer to [1] and [2]). For example,  the underlying security provider will read your kerberos
configuration krb5.conf to generate a realm through the [domain_realm] section. 

Currently, though the hive code check whether there is a realm part, it doesn't use it at
all. I think the realm check should be remove according to java API definition, and user could
configure realm in krb5.conf.  what do you think?

[1]: https://web.mit.edu/kerberos/krb5-1.13/doc/admin/realm_config.html 
[2]: https://docs.oracle.com/javase/8/docs/technotes/guides/security/jgss/single-signon.html

> Odd behavior with Beeline parsing server principal in Kerberized environment
> ----------------------------------------------------------------------------
>
>                 Key: HIVE-14372
>                 URL: https://issues.apache.org/jira/browse/HIVE-14372
>             Project: Hive
>          Issue Type: Bug
>          Components: Beeline
>            Reporter: Vihang Karajgaonkar
>            Assignee: Junjie Chen
>
> Case 1:
> I can replace the realm with any garbage realm, and it still works.
> {code}
> [root@c62-n3 ~]# beeline
> Beeline version 0.10.0-cdh4.2.0 by Apache Hive
> beeline> !connect jdbc:hive2://c62-n3.intuit.test:10000/;principal=hive/c62-n3.intuit.test@ABC.XYZ

> scan complete in 4ms
> Connecting to jdbc:hive2://c62-n3.intuit.test:10000/;principal=hive/c62-n3.intuit.test@ABC.XYZ
> Enter username for jdbc:hive2://c62-n3.intuit.test:10000/;principal=hive/c62-n3.intuit.test@ABC.XYZ:

> Enter password for jdbc:hive2://c62-n3.intuit.test:10000/;principal=hive/c62-n3.intuit.test@ABC.XYZ:

> Connected to: Hive (version 0.10.0)
> Driver: Hive (version 0.10.0-cdh4.2.0)
> Transaction isolation: TRANSACTION_REPEATABLE_READ
> 0: jdbc:hive2://c62-n3.intuit.test:10000/> show tables;
> -----------
> tab_name
> -----------
> t1
> t2
> test
> -----------
> 3 rows selected (1.749 seconds)
> 0: jdbc:hive2://c62-n3.intuit.test:10000/>
> {code}
> Case 2:
> I can keep the garbage realm, but if I use a different hostname (notice I've truncated
it to c62-n3.intuit instead of c62-n3.intuit.test), it fails (as it should) but the error
message is not at all user-friendly.
> {code}
> [root@c62-n3 ~]# beeline
> Beeline version 0.10.0-cdh4.2.0 by Apache Hive
> beeline> !connect jdbc:hive2://c62-n3.intuit.test:10000/;principal=hive/c62-n3.intuit@ABC

> scan complete in 4ms
> Connecting to jdbc:hive2://c62-n3.intuit.test:10000/;principal=hive/c62-n3.intuit@ABC
> Enter username for jdbc:hive2://c62-n3.intuit.test:10000/;principal=hive/c62-n3.intuit@ABC:

> Enter password for jdbc:hive2://c62-n3.intuit.test:10000/;principal=hive/c62-n3.intuit@ABC:

> 13/06/10 08:34:29 ERROR transport.TSaslTransport: SASL negotiation failure
> javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid
credentials provided (Mechanism level: Server not found in Kerberos database (7) - UNKNOWN_SERVER)]
> at com.sun.security.sasl.gsskerb.GssKrb5Client.evaluateChallenge(GssKrb5Client.java:194)
> at org.apache.thrift.transport.TSaslClientTransport.handleSaslStartMessage(TSaslClientTransport.java:94)
> at org.apache.thrift.transport.TSaslTransport.open(TSaslTransport.java:253)
> at org.apache.thrift.transport.TSaslClientTransport.open(TSaslClientTransport.java:37)
> at org.apache.hadoop.hive.thrift.client.TUGIAssumingTransport$1.run(TUGIAssumingTransport.java:52)
> at org.apache.hadoop.hive.thrift.client.TUGIAssumingTransport$1.run(TUGIAssumingTransport.java:49)
> at java.security.AccessController.doPrivileged(Native Method)
> at javax.security.auth.Subject.doAs(Subject.java:396)
> at org.apache.hadoop.security.UserGroupInformation.doAs(UserGroupInformation.java:1408)
> at org.apache.hadoop.hive.thrift.client.TUGIAssumingTransport.open(TUGIAssumingTransport.java:49)
> at org.apache.hive.jdbc.HiveConnection.openTransport(HiveConnection.java:156)
> at org.apache.hive.jdbc.HiveConnection.<init>(HiveConnection.java:96)
> at org.apache.hive.jdbc.HiveDriver.connect(HiveDriver.java:104)
> at java.sql.DriverManager.getConnection(DriverManager.java:582)
> at java.sql.DriverManager.getConnection(DriverManager.java:185)
> at org.apache.hive.beeline.DatabaseConnection.connect(DatabaseConnection.java:152)
> at org.apache.hive.beeline.DatabaseConnection.getConnection(DatabaseConnection.java:193)
> at org.apache.hive.beeline.Commands.connect(Commands.java:965)
> at org.apache.hive.beeline.Commands.connect(Commands.java:896)
> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
> at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
> at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
> at java.lang.reflect.Method.invoke(Method.java:597)
> at org.apache.hive.beeline.ReflectiveCommandHandler.execute(ReflectiveCommandHandler.java:66)
> at org.apache.hive.beeline.BeeLine.dispatch(BeeLine.java:755)
> at org.apache.hive.beeline.BeeLine.begin(BeeLine.java:631)
> at org.apache.hive.beeline.BeeLine.mainWithInputRedirection(BeeLine.java:380)
> at org.apache.hive.beeline.BeeLine.main(BeeLine.java:364)
> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
> at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
> at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
> at java.lang.reflect.Method.invoke(Method.java:597)
> at org.apache.hadoop.util.RunJar.main(RunJar.java:208)
> Caused by: GSSException: No valid credentials provided (Mechanism level: Server not found
in Kerberos database (7) - UNKNOWN_SERVER)
> at sun.security.jgss.krb5.Krb5Context.initSecContext(Krb5Context.java:663)
> at sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:230)
> at sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:162)
> at com.sun.security.sasl.gsskerb.GssKrb5Client.evaluateChallenge(GssKrb5Client.java:175)
> ... 32 more
> Caused by: KrbException: Server not found in Kerberos database (7) - UNKNOWN_SERVER
> at sun.security.krb5.KrbTgsRep.<init>(KrbTgsRep.java:64)
> at sun.security.krb5.KrbTgsReq.getReply(KrbTgsReq.java:185)
> at sun.security.krb5.internal.CredentialsUtil.serviceCreds(CredentialsUtil.java:294)
> at sun.security.krb5.internal.CredentialsUtil.acquireServiceCreds(CredentialsUtil.java:106)
> at sun.security.krb5.Credentials.acquireServiceCreds(Credentials.java:557)
> at sun.security.jgss.krb5.Krb5Context.initSecContext(Krb5Context.java:594)
> ... 35 more
> Caused by: KrbException: Identifier doesn't match expected value (906)
> at sun.security.krb5.internal.KDCRep.init(KDCRep.java:133)
> at sun.security.krb5.internal.TGSRep.init(TGSRep.java:58)
> at sun.security.krb5.internal.TGSRep.<init>(TGSRep.java:53)
> at sun.security.krb5.KrbTgsRep.<init>(KrbTgsRep.java:46)
> ... 40 more
> org.apache.thrift.transport.TTransportException: GSS initiate failed
> at org.apache.thrift.transport.TSaslTransport.sendAndThrowMessage(TSaslTransport.java:221)
> at org.apache.thrift.transport.TSaslTransport.open(TSaslTransport.java:297)
> at org.apache.thrift.transport.TSaslClientTransport.open(TSaslClientTransport.java:37)
> at org.apache.hadoop.hive.thrift.client.TUGIAssumingTransport$1.run(TUGIAssumingTransport.java:52)
> at org.apache.hadoop.hive.thrift.client.TUGIAssumingTransport$1.run(TUGIAssumingTransport.java:49)
> at java.security.AccessController.doPrivileged(Native Method)
> at javax.security.auth.Subject.doAs(Subject.java:396)
> at org.apache.hadoop.security.UserGroupInformation.doAs(UserGroupInformation.java:1408)
> at org.apache.hadoop.hive.thrift.client.TUGIAssumingTransport.open(TUGIAssumingTransport.java:49)
> at org.apache.hive.jdbc.HiveConnection.openTransport(HiveConnection.java:156)
> at org.apache.hive.jdbc.HiveConnection.<init>(HiveConnection.java:96)
> at org.apache.hive.jdbc.HiveDriver.connect(HiveDriver.java:104)
> at java.sql.DriverManager.getConnection(DriverManager.java:582)
> at java.sql.DriverManager.getConnection(DriverManager.java:185)
> at org.apache.hive.beeline.DatabaseConnection.connect(DatabaseConnection.java:152)
> at org.apache.hive.beeline.DatabaseConnection.getConnection(DatabaseConnection.java:193)
> at org.apache.hive.beeline.Commands.connect(Commands.java:965)
> at org.apache.hive.beeline.Commands.connect(Commands.java:896)
> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
> at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
> at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
> at java.lang.reflect.Method.invoke(Method.java:597)
> at org.apache.hive.beeline.ReflectiveCommandHandler.execute(ReflectiveCommandHandler.java:66)
> at org.apache.hive.beeline.BeeLine.dispatch(BeeLine.java:755)
> at org.apache.hive.beeline.BeeLine.begin(BeeLine.java:631)
> at org.apache.hive.beeline.BeeLine.mainWithInputRedirection(BeeLine.java:380)
> at org.apache.hive.beeline.BeeLine.main(BeeLine.java:364)
> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
> at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
> at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
> at java.lang.reflect.Method.invoke(Method.java:597)
> at org.apache.hadoop.util.RunJar.main(RunJar.java:208)
> Error: Invalid URL: jdbc:hive2://c62-n3.intuit.test:10000/;principal=hive/c62-n3.intuit@ABC
(state=08S01,code=0)
> {code}
> Case 3:
> If I truncate the hostname portion of the principal to the shortname (hive/c62-n3), it
works. This should fail, since the principal 'hive/c62-n3' does not exist.
> {code}
> [root@c62-n3 ~]# beeline
> Beeline version 0.10.0-cdh4.2.0 by Apache Hive
> beeline> !connect jdbc:hive2://c62-n3.intuit.test:10000/;principal=hive/c62-n3@ABC

> scan complete in 3ms
> Connecting to jdbc:hive2://c62-n3.intuit.test:10000/;principal=hive/c62-n3@ABC
> Enter username for jdbc:hive2://c62-n3.intuit.test:10000/;principal=hive/c62-n3@ABC:

> Enter password for jdbc:hive2://c62-n3.intuit.test:10000/;principal=hive/c62-n3@ABC:

> Connected to: Hive (version 0.10.0)
> Driver: Hive (version 0.10.0-cdh4.2.0)
> Transaction isolation: TRANSACTION_REPEATABLE_READ
> 0: jdbc:hive2://c62-n3.intuit.test:10000/> show tables;
> -----------
> tab_name
> -----------
> t1
> t2
> test
> -----------
> 3 rows selected (1.553 seconds)
> 0: jdbc:hive2://c62-n3.intuit.test:10000/>
> {code}



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message