You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@hive.apache.org by "ASF GitHub Bot (Jira)" <ji...@apache.org> on 2022/05/03 00:21:00 UTC

[jira] [Work logged] (HIVE-13384) Failed to create HiveMetaStoreClient object with proxy user when Kerberos enabled

     [ https://issues.apache.org/jira/browse/HIVE-13384?focusedWorklogId=765232&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-765232 ]

ASF GitHub Bot logged work on HIVE-13384:
-----------------------------------------

                Author: ASF GitHub Bot
            Created on: 03/May/22 00:20
            Start Date: 03/May/22 00:20
    Worklog Time Spent: 10m 
      Work Description: github-actions[bot] commented on PR #3064:
URL: https://github.com/apache/hive/pull/3064#issuecomment-1115491206

   This pull request has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs.
   Feel free to reach out on the dev@hive.apache.org list if the patch is in need of reviews.




Issue Time Tracking
-------------------

    Worklog Id:     (was: 765232)
    Time Spent: 50m  (was: 40m)

> Failed to create HiveMetaStoreClient object with proxy user when Kerberos enabled
> ---------------------------------------------------------------------------------
>
>                 Key: HIVE-13384
>                 URL: https://issues.apache.org/jira/browse/HIVE-13384
>             Project: Hive
>          Issue Type: Improvement
>          Components: Metastore
>    Affects Versions: 1.2.0, 1.2.1
>            Reporter: Bing Li
>            Assignee: Bing Li
>            Priority: Major
>              Labels: pull-request-available
>          Time Spent: 50m
>  Remaining Estimate: 0h
>
> I wrote a Java client to talk with HiveMetaStore. (Hive 1.2.0)
> But found that it can't new a HiveMetaStoreClient object successfully via a proxy user in Kerberos env.
> ===========================
> 15/10/13 00:14:38 ERROR transport.TSaslTransport: SASL negotiation failure
> javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level: Failed to find any Kerberos tgt)]
>         at com.sun.security.sasl.gsskerb.GssKrb5Client.evaluateChallenge(GssKrb5Client.java:211)
>         at org.apache.thrift.transport.TSaslClientTransport.handleSaslStartMessage(TSaslClientTransport.java:94)
>         at org.apache.thrift.transport.TSaslTransport.open(TSaslTransport.java:271)
> ==========================
> When I debugging on Hive, I found that the error came from open() method in HiveMetaStoreClient class.
> Around line 406,
>  transport = UserGroupInformation.getCurrentUser().doAs(new PrivilegedExceptionAction<TTransport>() {  //FAILED, because the current user doesn't have the cridential
> But it will work if I change above line to
>  transport = UserGroupInformation.getCurrentUser().getRealUser().doAs(new PrivilegedExceptionAction<TTransport>() {  //PASS
> I found DRILL-3413 fixes this error in Drill side as a workaround. But if I submit a mapreduce job via Pig/HCatalog, it runs into the same issue again when initialize the object via HCatalog.
> It would be better to fix this issue in Hive side.



--
This message was sent by Atlassian Jira
(v8.20.7#820007)