You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@hive.apache.org by "Bing Li (JIRA)" <ji...@apache.org> on 2016/05/18 13:39:12 UTC

[jira] [Commented] (HIVE-13384) Failed to create HiveMetaStoreClient object with proxy user when Kerberos enabled

    [ https://issues.apache.org/jira/browse/HIVE-13384?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15288963#comment-15288963 ] 

Bing Li commented on HIVE-13384:
--------------------------------

Refer to Drill-3413, we found the method to resolve this issue in the client side.
The key point is that to get the delegation token for the proxy user, and assign it to hive.metastore.token.signature.

I tried this method in two different scenario:
1. use the proxy user to initialize an object of HiveMetaStoreClient, which is mentioned in the description
2. access to Hive table in Pig via HCatalog

Here are the sample codes for above two scenarios:
1. use the proxy use to create HiveMetaStoreClient object

      UserGroupInformation loginUser = UserGroupInformation.getLoginUser ();  // in this example, the loginUser is user hive

      // the "loginuser" impersonates user hdfs
      UserGroupInformation ugi = UserGroupInformation.createProxyUser ("hdfs", loginUser);

      // in this example, user hive is the super user
      // which will do the login with its keytab and principle
      // user hdfs is the proxyuser
      HiveMetaStoreClient realUserClient = new HiveMetaStoreClient(new HiveConf());  
     // get the delegation token for proxyuser hdfs, and the owner of this token is hdfs as well
      String delegationTokenStr = realUserClient.getDelegationToken("hdfs","hdfs");  
      realUserClient.close();

      String DELEGATION_TOKEN = "DelegationTokenForHiveMetaStoreServer";

      // create a delegation token object and add it to the given UGI
      Utils.setTokenStr(ugi, delegationTokenStr, DELEGATION_TOKEN);   

      ugi.doAs (new PrivilegedExceptionAction<Void> () {
        public Void run () throws Exception
        {
          hiveConf = new HiveConf ();
          hiveConf.set("hive.metastore.token.signature",DELEGATION_TOKEN);
          client = new HiveMetaStoreClient (hiveConf);
          return null;
        }
      });

2. In Pig Java program

        HiveConf hiveConf = new HiveConf();
        HCatClient client = HCatClient.create(hiveConf);
        UserGroupInformation ugi =
            UserGroupInformation.createProxyUser(proxyUser, UserGroupInformation.getLoginUser());

       // get and set the delegation token
        String tokenStrForm = client.getDelegationToken(proxyUser, proxyUser);
        String DELEGATION_TOKEN = "DelegationTokenForHiveMetaStoreServer";
        Utils.setTokenStr(ugi, tokenStrForm, DELEGATION_TOKEN);

        Properties pigProp = new Properties();
        pigProp.setProperty("hive.metastore.token.signature",DELEGATION_TOKEN );

        client.close();

       // initialize pigServer with the pigProperty
        PigServer pigServer = new PigServer(ExecType.MAPREDUCE, pigProp);

        ugi.doAs(new PrivilegedExceptionAction<Void>() {
            public Void run() throws Exception {

              loadJars(pigServer);   // customize method
              runQuery(pigServer);   // customize method

              return null;

            }
        });

> Failed to create HiveMetaStoreClient object with proxy user when Kerberos enabled
> ---------------------------------------------------------------------------------
>
>                 Key: HIVE-13384
>                 URL: https://issues.apache.org/jira/browse/HIVE-13384
>             Project: Hive
>          Issue Type: Improvement
>          Components: Metastore
>    Affects Versions: 1.2.0, 1.2.1
>            Reporter: Bing Li
>
> I wrote a Java client to talk with HiveMetaStore. (Hive 1.2.0)
> But found that it can't new a HiveMetaStoreClient object successfully via a proxy using in Kerberos env.
> ===========================
> 15/10/13 00:14:38 ERROR transport.TSaslTransport: SASL negotiation failure
> javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level: Failed to find any Kerberos tgt)]
>         at com.sun.security.sasl.gsskerb.GssKrb5Client.evaluateChallenge(GssKrb5Client.java:211)
>         at org.apache.thrift.transport.TSaslClientTransport.handleSaslStartMessage(TSaslClientTransport.java:94)
>         at org.apache.thrift.transport.TSaslTransport.open(TSaslTransport.java:271)
> ==========================
> When I debugging on Hive, I found that the error came from open() method in HiveMetaStoreClient class.
> Around line 406,
>  transport = UserGroupInformation.getCurrentUser().doAs(new PrivilegedExceptionAction<TTransport>() {  //FAILED, because the current user doesn't have the cridential
> But it will work if I change above line to
>  transport = UserGroupInformation.getCurrentUser().getRealUser().doAs(new PrivilegedExceptionAction<TTransport>() {  //PASS
> I found DRILL-3413 fixes this error in Drill side as a workaround. But if I submit a mapreduce job via Pig/HCatalog, it runs into the same issue again when initialize the object via HCatalog.
> It would be better to fix this issue in Hive side.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)