You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@impala.apache.org by LiFu He <he...@gmail.com> on 2018/02/02 02:59:34 UTC
Does impala-2.11.0 support to kerberos enabled kudu-1.6.x cluster?
Hi there,
I deployed an impala-2.11.0 cluster and a kudu-1.6.x cluster that are both
kerberos enabled following:
https://www.cloudera.com/documentation/enterprise/
latest/topics/impala_kerberos.html#kerberos_config
https://www.cloudera.com/documentation/enterprise/
latest/topics/kudu_security.html#concept_vpc_yj4_jz
But i failed to select anythong from impala-shell:
* [hadoop956.hz.163.org:21000 <http://hadoop956.hz.163.org:21000>] >
select * from nation;*
* Query: select * from nation*
* Query submitted at: 2018-02-02 10:31:19 (Coordinator:
http://hadoop956.hz.163.org:25000 <http://hadoop956.hz.163.org:25000>)*
* ERROR: AnalysisException: Failed to load metadata for table:
'nation'*
* CAUSED BY: TableLoadingException: Error loading metadata for Kudu
table impala::kudu_100g.nation*
* CAUSED BY: ImpalaRuntimeException: Error opening Kudu table
'impala::kudu_100g.nation', Kudu error: Couldn't find a valid master in
(hadoop956.hz.163.org:7051
<http://hadoop956.hz.163.org:7051>,hadoop957.hz.163.org:7051
<http://hadoop957.hz.163.org:7051>,hadoop958.hz.163.org:7051
<http://hadoop958.hz.163.org:7051>). Exceptions received:
[org.apache.kudu.client.NonRecoverableException: Server requires Kerberos,
but this client is not authenticated (kinit),
org.apache.kudu.client.NonRecoverableException: Server requires Kerberos,
but this client is not authenticated (kinit),
org.apache.kudu.client.NonRecoverableException: Server requires Kerberos,
but this client is not authenticated (kinit)]*
Then, i checked the log and found that there was something wrong in
catalog.WARNING:
*W0202 09:37:33.192826 172851 ConnectToCluster.java:347] Error receiving
response from hadoop958.hz.163.org:7051 <http://hadoop958.hz.163.org:7051>*
*Java exception follows:*
*org.apache.kudu.client.NonRecoverableException: Server requires Kerberos,
but this client is not authenticated (kinit)*
* at
org.apache.kudu.client.Negotiator.evaluateChallenge(Negotiator.java:705)*
* at
org.apache.kudu.client.Negotiator.sendSaslInitiate(Negotiator.java:581)*
* at
org.apache.kudu.client.Negotiator.startAuthentication(Negotiator.java:545)*
* at
org.apache.kudu.client.Negotiator.handleTlsMessage(Negotiator.java:499)*
* at org.apache.kudu.client.Negotiator.handleResponse(Negotiator.java:264)*
* at org.apache.kudu.client.Negotiator.messageReceived(Negotiator.java:231)*
* at org.apache.kudu.shaded.org
<http://org.apache.kudu.shaded.org>.jboss.netty.channel.SimpleChannelUpstreamHandler.handleUpstream(SimpleChannelUpstreamHandler.java:70)*
* at org.apache.kudu.shaded.org
<http://org.apache.kudu.shaded.org>.jboss.netty.channel.DefaultChannelPipeline.sendUpstream(DefaultChannelPipeline.java:564)*
* at org.apache.kudu.shaded.org
<http://org.apache.kudu.shaded.org>.jboss.netty.channel.DefaultChannelPipeline$DefaultChannelHandlerContext.sendUpstream(DefaultChannelPipeline.java:791)*
* at org.apache.kudu.shaded.org
<http://org.apache.kudu.shaded.org>.jboss.netty.handler.timeout.ReadTimeoutHandler.messageReceived(ReadTimeoutHandler.java:184)*
* at org.apache.kudu.shaded.org
<http://org.apache.kudu.shaded.org>.jboss.netty.channel.SimpleChannelUpstreamHandler.handleUpstream(SimpleChannelUpstreamHandler.java:70)*
* at org.apache.kudu.shaded.org
<http://org.apache.kudu.shaded.org>.jboss.netty.channel.DefaultChannelPipeline.sendUpstream(DefaultChannelPipeline.java:564)*
* at org.apache.kudu.shaded.org
<http://org.apache.kudu.shaded.org>.jboss.netty.channel.DefaultChannelPipeline$DefaultChannelHandlerContext.sendUpstream(DefaultChannelPipeline.java:791)*
* at org.apache.kudu.shaded.org
<http://org.apache.kudu.shaded.org>.jboss.netty.channel.Channels.fireMessageReceived(Channels.java:296)*
* at org.apache.kudu.shaded.org
<http://org.apache.kudu.shaded.org>.jboss.netty.handler.codec.oneone.OneToOneDecoder.handleUpstream(OneToOneDecoder.java:70)*
* at org.apache.kudu.shaded.org
<http://org.apache.kudu.shaded.org>.jboss.netty.channel.DefaultChannelPipeline.sendUpstream(DefaultChannelPipeline.java:564)*
* at org.apache.kudu.shaded.org
<http://org.apache.kudu.shaded.org>.jboss.netty.channel.DefaultChannelPipeline$DefaultChannelHandlerContext.sendUpstream(DefaultChannelPipeline.java:791)*
* at org.apache.kudu.shaded.org
<http://org.apache.kudu.shaded.org>.jboss.netty.channel.Channels.fireMessageReceived(Channels.java:296)*
* at org.apache.kudu.shaded.org
<http://org.apache.kudu.shaded.org>.jboss.netty.handler.codec.frame.FrameDecoder.unfoldAndFireMessageReceived(FrameDecoder.java:462)*
* at org.apache.kudu.shaded.org
<http://org.apache.kudu.shaded.org>.jboss.netty.handler.codec.frame.FrameDecoder.callDecode(FrameDecoder.java:443)*
* at org.apache.kudu.shaded.org
<http://org.apache.kudu.shaded.org>.jboss.netty.handler.codec.frame.FrameDecoder.messageReceived(FrameDecoder.java:303)*
* at org.apache.kudu.shaded.org
<http://org.apache.kudu.shaded.org>.jboss.netty.channel.SimpleChannelUpstreamHandler.handleUpstream(SimpleChannelUpstreamHandler.java:70)*
* at org.apache.kudu.shaded.org
<http://org.apache.kudu.shaded.org>.jboss.netty.channel.DefaultChannelPipeline.sendUpstream(DefaultChannelPipeline.java:564)*
* at org.apache.kudu.shaded.org
<http://org.apache.kudu.shaded.org>.jboss.netty.channel.DefaultChannelPipeline.sendUpstream(DefaultChannelPipeline.java:559)*
* at org.apache.kudu.shaded.org
<http://org.apache.kudu.shaded.org>.jboss.netty.channel.Channels.fireMessageReceived(Channels.java:268)*
* at org.apache.kudu.shaded.org
<http://org.apache.kudu.shaded.org>.jboss.netty.channel.Channels.fireMessageReceived(Channels.java:255)*
* at org.apache.kudu.shaded.org
<http://org.apache.kudu.shaded.org>.jboss.netty.channel.socket.nio.NioWorker.read(NioWorker.java:88)*
* at org.apache.kudu.shaded.org
<http://org.apache.kudu.shaded.org>.jboss.netty.channel.socket.nio.AbstractNioWorker.process(AbstractNioWorker.java:108)*
* at org.apache.kudu.shaded.org
<http://org.apache.kudu.shaded.org>.jboss.netty.channel.socket.nio.AbstractNioSelector.run(AbstractNioSelector.java:337)*
* at org.apache.kudu.shaded.org
<http://org.apache.kudu.shaded.org>.jboss.netty.channel.socket.nio.AbstractNioWorker.run(AbstractNioWorker.java:89)*
* at org.apache.kudu.shaded.org
<http://org.apache.kudu.shaded.org>.jboss.netty.channel.socket.nio.NioWorker.run(NioWorker.java:178)*
* at org.apache.kudu.shaded.org
<http://org.apache.kudu.shaded.org>.jboss.netty.util.ThreadRenamingRunnable.run(ThreadRenamingRunnable.java:108)*
* at org.apache.kudu.shaded.org
<http://org.apache.kudu.shaded.org>.jboss.netty.util.internal.DeadLockProofWorker$1.run(DeadLockProofWorker.java:42)*
* at
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1152)*
* at
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:622)*
* at java.lang.Thread.run(Thread.java:748)*
*Caused by: javax.security.sasl.SaslException: GSS initiate failed [Caused
by GSSException: No valid credentials provided (Mechanism level: Failed to
find any Kerberos tgt)]*
* at
com.sun.security.sasl.gsskerb.GssKrb5Client.evaluateChallenge(GssKrb5Client.java:211)*
* at org.apache.kudu.client.Negotiator$1.run(Negotiator.java:691)*
* at org.apache.kudu.client.Negotiator$1.run(Negotiator.java:688)*
* at java.security.AccessController.doPrivileged(Native Method)*
* at javax.security.auth.Subject.doAs(Subject.java:421)*
* at
org.apache.kudu.client.Negotiator.evaluateChallenge(Negotiator.java:687)*
* ... 35 more*
*Caused by: GSSException: No valid credentials provided (Mechanism level:
Failed to find any Kerberos tgt)*
* at
sun.security.jgss.krb5.Krb5InitCredential.getInstance(Krb5InitCredential.java:147)*
* at
sun.security.jgss.krb5.Krb5MechFactory.getCredentialElement(Krb5MechFactory.java:121)*
* at
sun.security.jgss.krb5.Krb5MechFactory.getMechanismContext(Krb5MechFactory.java:187)*
* at
sun.security.jgss.GSSManagerImpl.getMechanismContext(GSSManagerImpl.java:223)*
* at
sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:212)*
* at
sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:179)*
* at
com.sun.security.sasl.gsskerb.GssKrb5Client.evaluateChallenge(GssKrb5Client.java:192)*
* ... 40 more*
Obviously it failed to do kerberos authentication with kudu master. And at
the same time, i just noticed that i have not configured any principal for
kudu cluster in impala.
So, my questions are: 1.Did i forget anything i should configure? 2.Does
impala-2.11.0 support to kerberos enabled kudu-1.6.x cluster?
thanks in advance.
--
何李夫
Re: Does impala-2.11.0 support to kerberos enabled kudu-1.6.x cluster?
Posted by he...@gmail.com,
he...@gmail.com.
it works after i replaced the jdk1.7 with jdk1.8. Sorry for the late feedback.