You are viewing a plain text version of this content. The canonical link for it is here.

Posted to commits@dolphinscheduler.apache.org by GitBox <gi...@apache.org> on 2022/04/05 09:23:29 UTC

[GitHub] [dolphinscheduler] zhuxt2015 opened a new issue, #9352: [Bug] [API] Hive datasource connection failed when kerberos renew ticket lifetime expire

zhuxt2015 opened a new issue, #9352:
URL: https://github.com/apache/dolphinscheduler/issues/9352

   ### Search before asking
   
   - [X] I had searched in the [issues](https://github.com/apache/dolphinscheduler/issues?q=is%3Aissue) and found no similar issues.
   
   
   ### What happened
   
   in krb5.conf file, 
   >>>
   ticket_lifetime = 24h
   renew_lifetime = 7d
   >>> 
   when after renew lifetime expired,  connecting to the hive data source failed ,because the cached hive data source client uses the old ticket ,it cannot get the new ticket
   
   error log
   ```
   [WARN] 2022-04-01 16:59:53.260 org.apache.hive.jdbc.HiveConnection:[237] - Failed to connect to **.**.**.**:****
   [ERROR] 2022-04-01 16:59:56.127 org.apache.thrift.transport.TSaslTransport:[315] - SASL negotiation failure
   javax.security.sasl.SaslException: GSS initiate failed
           at com.sun.security.sasl.gsskerb.GssKrb5Client.evaluateChallenge(GssKrb5Client.java:211)
           at org.apache.thrift.transport.TSaslClientTransport.handleSaslStartMessage(TSaslClientTransport.java:94)
           at org.apache.thrift.transport.TSaslTransport.open(TSaslTransport.java:271)
           at org.apache.thrift.transport.TSaslClientTransport.open(TSaslClientTransport.java:37)
           at org.apache.hadoop.hive.metastore.security.TUGIAssumingTransport$1.run(TUGIAssumingTransport.java:51)
           at org.apache.hadoop.hive.metastore.security.TUGIAssumingTransport$1.run(TUGIAssumingTransport.java:48)
           at java.security.AccessController.doPrivileged(Native Method)
           at javax.security.auth.Subject.doAs(Subject.java:422)
           at org.apache.hadoop.security.UserGroupInformation.doAs(UserGroupInformation.java:1698)
           at org.apache.hadoop.hive.metastore.security.TUGIAssumingTransport.open(TUGIAssumingTransport.java:48)
           at org.apache.hive.jdbc.HiveConnection.openTransport(HiveConnection.java:343)
           at org.apache.hive.jdbc.HiveConnection.<init>(HiveConnection.java:228)
           at org.apache.hive.jdbc.HiveDriver.connect(HiveDriver.java:107)
           at com.zaxxer.hikari.util.DriverDataSource.getConnection(DriverDataSource.java:138)
           at com.zaxxer.hikari.pool.PoolBase.newConnection(PoolBase.java:364)
           at com.zaxxer.hikari.pool.PoolBase.newPoolEntry(PoolBase.java:206)
           at com.zaxxer.hikari.pool.HikariPool.createPoolEntry(HikariPool.java:476)
           at com.zaxxer.hikari.pool.HikariPool.access$100(HikariPool.java:71)
           at com.zaxxer.hikari.pool.HikariPool$PoolEntryCreator.call(HikariPool.java:726)
           at com.zaxxer.hikari.pool.HikariPool$PoolEntryCreator.call(HikariPool.java:712)
           at java.util.concurrent.FutureTask.run(FutureTask.java:266)
           at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
           at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
           at java.lang.Thread.run(Thread.java:748)
   Caused by: org.ietf.jgss.GSSException: No valid credentials provided (Mechanism level: Failed to find any Kerberos tgt)
           at sun.security.jgss.krb5.Krb5InitCredential.getInstance(Krb5InitCredential.java:162)
           at sun.security.jgss.krb5.Krb5MechFactory.getCredentialElement(Krb5MechFactory.java:122)
           at sun.security.jgss.krb5.Krb5MechFactory.getMechanismContext(Krb5MechFactory.java:189)
           at sun.security.jgss.GSSManagerImpl.getMechanismContext(GSSManagerImpl.java:224)
           at sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:212)
           at sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:179)
           at com.sun.security.sasl.gsskerb.GssKrb5Client.evaluateChallenge(GssKrb5Client.java:192)
           ... 23 common frames omitted
   ```
   
   ### What you expected to happen
   
   I think the data source client cache should have an expiration time, for example, use the Guava Cache instead of CurrentHashMap.
   
   ### How to reproduce
   
   1. in krb5.conf file, change config renew life to short time, e.g 1h, then restart KDC
   2. restart api  server
   3. check hive connection, now it's a success
   4. after renew life expired, check hive connection, now it's a failed
   
   
   ### Anything else
   
   _No response_
   
   ### Version
   
   2.0.5
   
   ### Are you willing to submit PR?
   
   - [X] Yes I am willing to submit a PR!
   
   ### Code of Conduct
   
   - [X] I agree to follow this project's [Code of Conduct](https://www.apache.org/foundation/policies/conduct)
   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscribe@dolphinscheduler.apache.org.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [dolphinscheduler] github-actions[bot] commented on issue #9352: [Bug] [API] Hive datasource connection failed when kerberos renew ticket lifetime expire

Posted by GitBox <gi...@apache.org>.

github-actions[bot] commented on issue #9352:
URL: https://github.com/apache/dolphinscheduler/issues/9352#issuecomment-1088473398

   Hi:
   * Thank you for your feedback, we have received your issue, Please wait patiently for a reply.
   * In order for us to understand your request as soon as possible, please provide detailed information、version or pictures.
   * If you haven't received a reply for a long time, you can subscribe to the developer's email，Mail subscription steps reference https://dolphinscheduler.apache.org/en-us/community/development/subscribe.html ,Then write the issue URL in the email content and send question to dev@dolphinscheduler.apache.org.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscribe@dolphinscheduler.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [dolphinscheduler] caishunfeng closed issue #9352: [Bug] [datasource-api] Hive datasource connection failed when kerberos renew ticket lifetime expire

Posted by GitBox <gi...@apache.org>.

caishunfeng closed issue #9352: [Bug] [datasource-api] Hive datasource connection failed when kerberos renew ticket lifetime expire
URL: https://github.com/apache/dolphinscheduler/issues/9352


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscribe@dolphinscheduler.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org