You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@hive.apache.org by "Hive QA (JIRA)" <ji...@apache.org> on 2015/06/19 20:49:03 UTC

[jira] [Commented] (HIVE-10594) Remote Spark client doesn't use Kerberos keytab to authenticate [Spark Branch]

    [ https://issues.apache.org/jira/browse/HIVE-10594?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14593772#comment-14593772 ] 

Hive QA commented on HIVE-10594:
--------------------------------



{color:red}Overall{color}: -1 at least one tests failed

Here are the results of testing the latest attachment:
https://issues.apache.org/jira/secure/attachment/12740689/HIVE-10594.1-spark.patch

{color:red}ERROR:{color} -1 due to 2 failed/errored test(s), 7987 tests executed
*Failed tests:*
{noformat}
org.apache.hadoop.hive.cli.TestCliDriver.initializationError
org.apache.hadoop.hive.cli.TestMinimrCliDriver.testCliDriver_index_bitmap_auto
{noformat}

Test results: http://ec2-174-129-184-35.compute-1.amazonaws.com/jenkins/job/PreCommit-HIVE-SPARK-Build/897/testReport
Console output: http://ec2-174-129-184-35.compute-1.amazonaws.com/jenkins/job/PreCommit-HIVE-SPARK-Build/897/console
Test logs: http://ec2-50-18-27-0.us-west-1.compute.amazonaws.com/logs/PreCommit-HIVE-SPARK-Build-897/

Messages:
{noformat}
Executing org.apache.hive.ptest.execution.PrepPhase
Executing org.apache.hive.ptest.execution.ExecutionPhase
Executing org.apache.hive.ptest.execution.ReportingPhase
Tests exited with: TestsFailedException: 2 tests failed
{noformat}

This message is automatically generated.

ATTACHMENT ID: 12740689 - PreCommit-HIVE-SPARK-Build

> Remote Spark client doesn't use Kerberos keytab to authenticate [Spark Branch]
> ------------------------------------------------------------------------------
>
>                 Key: HIVE-10594
>                 URL: https://issues.apache.org/jira/browse/HIVE-10594
>             Project: Hive
>          Issue Type: Sub-task
>          Components: Spark
>    Affects Versions: 1.1.0
>            Reporter: Chao Sun
>            Assignee: Xuefu Zhang
>         Attachments: HIVE-10594.1-spark.patch
>
>
> Reporting problem found by one of the HoS users:
> Currently, if user is running Beeline on a different host than HS2, and he/she didn't do kinit on the HS2 host, then he/she may get the following error:
> {code}
> 2015-04-29 15:49:34,614 INFO org.apache.hive.spark.client.SparkClientImpl: 15/04/29 15:49:34 WARN UserGroupInformation: PriviledgedActionException as:hive (auth:KERBEROS) cause:java.io.IOException: javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level: Failed to find any Kerberos tgt)]
> 2015-04-29 15:49:34,652 INFO org.apache.hive.spark.client.SparkClientImpl: Exception in thread "main" java.io.IOException: Failed on local exception: java.io.IOException: javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level: Failed to find any Kerberos tgt)]; Host Details : local host is: "secure-hos-1.ent.cloudera.com/10.20.77.79"; destination host is: "secure-hos-1.ent.cloudera.com":8032;
> 2015-04-29 15:49:34,653 INFO org.apache.hive.spark.client.SparkClientImpl:      at org.apache.hadoop.net.NetUtils.wrapException(NetUtils.java:772)
> 2015-04-29 15:49:34,653 INFO org.apache.hive.spark.client.SparkClientImpl:      at org.apache.hadoop.ipc.Client.call(Client.java:1472)
> 2015-04-29 15:49:34,654 INFO org.apache.hive.spark.client.SparkClientImpl:      at org.apache.hadoop.ipc.Client.call(Client.java:1399)
> 2015-04-29 15:49:34,654 INFO org.apache.hive.spark.client.SparkClientImpl:      at org.apache.hadoop.ipc.ProtobufRpcEngine$Invoker.invoke(ProtobufRpcEngine.java:232)
> 2015-04-29 15:49:34,654 INFO org.apache.hive.spark.client.SparkClientImpl:      at com.sun.proxy.$Proxy11.getClusterMetrics(Unknown Source)
> 2015-04-29 15:49:34,655 INFO org.apache.hive.spark.client.SparkClientImpl:      at org.apache.hadoop.yarn.api.impl.pb.client.ApplicationClientProtocolPBClientImpl.getClusterMetrics(ApplicationClientProtocolPBClientImpl.java:202)
> 2015-04-29 15:49:34,655 INFO org.apache.hive.spark.client.SparkClientImpl:      at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
> 2015-04-29 15:49:34,655 INFO org.apache.hive.spark.client.SparkClientImpl:      at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
> 2015-04-29 15:49:34,656 INFO org.apache.hive.spark.client.SparkClientImpl:      at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
> 2015-04-29 15:49:34,656 INFO org.apache.hive.spark.client.SparkClientImpl:      at java.lang.reflect.Method.invoke(Method.java:606)
> 2015-04-29 15:49:34,656 INFO org.apache.hive.spark.client.SparkClientImpl:      at org.apache.hadoop.io.retry.RetryInvocationHandler.invokeMethod(RetryInvocationHandler.java:187)
> 2015-04-29 15:49:34,657 INFO org.apache.hive.spark.client.SparkClientImpl:      at org.apache.hadoop.io.retry.RetryInvocationHandler.invoke(RetryInvocationHandler.java:102)
> 2015-04-29 15:49:34,657 INFO org.apache.hive.spark.client.SparkClientImpl:      at com.sun.proxy.$Proxy12.getClusterMetrics(Unknown Source)
> 2015-04-29 15:49:34,657 INFO org.apache.hive.spark.client.SparkClientImpl:      at org.apache.hadoop.yarn.client.api.impl.YarnClientImpl.getYarnClusterMetrics(YarnClientImpl.java:461)
> 2015-04-29 15:49:34,657 INFO org.apache.hive.spark.client.SparkClientImpl:      at org.apache.spark.deploy.yarn.Client$$anonfun$submitApplication$1.apply(Client.scala:91)
> 2015-04-29 15:49:34,657 INFO org.apache.hive.spark.client.SparkClientImpl:      at org.apache.spark.deploy.yarn.Client$$anonfun$submitApplication$1.apply(Client.scala:91)
> 2015-04-29 15:49:34,657 INFO org.apache.hive.spark.client.SparkClientImpl:      at org.apache.spark.Logging$class.logInfo(Logging.scala:59)
> 2015-04-29 15:49:34,657 INFO org.apache.hive.spark.client.SparkClientImpl:      at org.apache.spark.deploy.yarn.Client.logInfo(Client.scala:49)
> 2015-04-29 15:49:34,657 INFO org.apache.hive.spark.client.SparkClientImpl:      at org.apache.spark.deploy.yarn.Client.submitApplication(Client.scala:90)
> 2015-04-29 15:49:34,658 INFO org.apache.hive.spark.client.SparkClientImpl:      at org.apache.spark.deploy.yarn.Client.run(Client.scala:619)
> 2015-04-29 15:49:34,658 INFO org.apache.hive.spark.client.SparkClientImpl:      at org.apache.spark.deploy.yarn.Client$.main(Client.scala:647)
> 2015-04-29 15:49:34,658 INFO org.apache.hive.spark.client.SparkClientImpl:      at org.apache.spark.deploy.yarn.Client.main(Client.scala)
> 2015-04-29 15:49:34,658 INFO org.apache.hive.spark.client.SparkClientImpl:      at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
> 2015-04-29 15:49:34,658 INFO org.apache.hive.spark.client.SparkClientImpl:      at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
> 2015-04-29 15:49:34,658 INFO org.apache.hive.spark.client.SparkClientImpl:      at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
> 2015-04-29 15:49:34,658 INFO org.apache.hive.spark.client.SparkClientImpl:      at java.lang.reflect.Method.invoke(Method.java:606)
> 2015-04-29 15:49:34,659 INFO org.apache.hive.spark.client.SparkClientImpl:      at org.apache.spark.deploy.SparkSubmit$.org$apache$spark$deploy$SparkSubmit$$runMain(SparkSubmit.scala:569)
> 2015-04-29 15:49:34,659 INFO org.apache.hive.spark.client.SparkClientImpl:      at org.apache.spark.deploy.SparkSubmit$.doRunMain$1(SparkSubmit.scala:166)
> 2015-04-29 15:49:34,659 INFO org.apache.hive.spark.client.SparkClientImpl:      at org.apache.spark.deploy.SparkSubmit$.submit(SparkSubmit.scala:189)
> 2015-04-29 15:49:34,659 INFO org.apache.hive.spark.client.SparkClientImpl:      at org.apache.spark.deploy.SparkSubmit$.main(SparkSubmit.scala:110)
> 2015-04-29 15:49:34,659 INFO org.apache.hive.spark.client.SparkClientImpl:      at org.apache.spark.deploy.SparkSubmit.main(SparkSubmit.scala)
> 2015-04-29 15:49:34,660 INFO org.apache.hive.spark.client.SparkClientImpl: Caused by: java.io.IOException: javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level: Failed to find any Kerberos tgt)]
> 2015-04-29 15:49:34,660 INFO org.apache.hive.spark.client.SparkClientImpl:      at org.apache.hadoop.ipc.Client$Connection$1.run(Client.java:680)
> 2015-04-29 15:49:34,660 INFO org.apache.hive.spark.client.SparkClientImpl:      at java.security.AccessController.doPrivileged(Native Method)
> 2015-04-29 15:49:34,660 INFO org.apache.hive.spark.client.SparkClientImpl:      at javax.security.auth.Subject.doAs(Subject.java:415)
> 2015-04-29 15:49:34,660 INFO org.apache.hive.spark.client.SparkClientImpl:      at org.apache.hadoop.security.UserGroupInformation.doAs(UserGroupInformation.java:1671)
> 2015-04-29 15:49:34,660 INFO org.apache.hive.spark.client.SparkClientImpl:      at org.apache.hadoop.ipc.Client$Connection.handleSaslConnectionFailure(Client.java:643)
> 2015-04-29 15:49:34,661 INFO org.apache.hive.spark.client.SparkClientImpl:      at org.apache.hadoop.ipc.Client$Connection.setupIOstreams(Client.java:730)
> 2015-04-29 15:49:34,661 INFO org.apache.hive.spark.client.SparkClientImpl:      at org.apache.hadoop.ipc.Client$Connection.access$2800(Client.java:368)
> 2015-04-29 15:49:34,661 INFO org.apache.hive.spark.client.SparkClientImpl:      at org.apache.hadoop.ipc.Client.getConnection(Client.java:1521)
> 2015-04-29 15:49:34,661 INFO org.apache.hive.spark.client.SparkClientImpl:      at org.apache.hadoop.ipc.Client.call(Client.java:1438)
> 2015-04-29 15:49:34,661 INFO org.apache.hive.spark.client.SparkClientImpl:      ... 29 more
> 2015-04-29 15:49:34,662 INFO org.apache.hive.spark.client.SparkClientImpl: Caused by: javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level: Failed to find any Kerberos tgt)]
> 2015-04-29 15:49:34,662 INFO org.apache.hive.spark.client.SparkClientImpl:      at com.sun.security.sasl.gsskerb.GssKrb5Client.evaluateChallenge(GssKrb5Client.java:212)
> 2015-04-29 15:49:34,662 INFO org.apache.hive.spark.client.SparkClientImpl:      at org.apache.hadoop.security.SaslRpcClient.saslConnect(SaslRpcClient.java:413)
> 2015-04-29 15:49:34,662 INFO org.apache.hive.spark.client.SparkClientImpl:      at org.apache.hadoop.ipc.Client$Connection.setupSaslConnection(Client.java:553)
> 2015-04-29 15:49:34,662 INFO org.apache.hive.spark.client.SparkClientImpl:      at org.apache.hadoop.ipc.Client$Connection.access$1800(Client.java:368)
> 2015-04-29 15:49:34,663 INFO org.apache.hive.spark.client.SparkClientImpl:      at org.apache.hadoop.ipc.Client$Connection$2.run(Client.java:722)
> 2015-04-29 15:49:34,663 INFO org.apache.hive.spark.client.SparkClientImpl:      at org.apache.hadoop.ipc.Client$Connection$2.run(Client.java:718)
> 2015-04-29 15:49:34,663 INFO org.apache.hive.spark.client.SparkClientImpl:      at java.security.AccessController.doPrivileged(Native Method)
> 2015-04-29 15:49:34,663 INFO org.apache.hive.spark.client.SparkClientImpl:      at javax.security.auth.Subject.doAs(Subject.java:415)
> 2015-04-29 15:49:34,663 INFO org.apache.hive.spark.client.SparkClientImpl:      at org.apache.hadoop.security.UserGroupInformation.doAs(UserGroupInformation.java:1671)
> 2015-04-29 15:49:34,664 INFO org.apache.hive.spark.client.SparkClientImpl:      at org.apache.hadoop.ipc.Client$Connection.setupIOstreams(Client.java:717)
> 2015-04-29 15:49:34,664 INFO org.apache.hive.spark.client.SparkClientImpl:      ... 32 more
> 2015-04-29 15:49:34,664 INFO org.apache.hive.spark.client.SparkClientImpl: Caused by: GSSException: No valid credentials provided (Mechanism level: Failed to find any Kerberos tgt)
> 2015-04-29 15:49:34,664 INFO org.apache.hive.spark.client.SparkClientImpl:      at sun.security.jgss.krb5.Krb5InitCredential.getInstance(Krb5InitCredential.java:147)
> 2015-04-29 15:49:34,664 INFO org.apache.hive.spark.client.SparkClientImpl:      at sun.security.jgss.krb5.Krb5MechFactory.getCredentialElement(Krb5MechFactory.java:121)
> 2015-04-29 15:49:34,665 INFO org.apache.hive.spark.client.SparkClientImpl:      at sun.security.jgss.krb5.Krb5MechFactory.getMechanismContext(Krb5MechFactory.java:187)
> 2015-04-29 15:49:34,665 INFO org.apache.hive.spark.client.SparkClientImpl:      at sun.security.jgss.GSSManagerImpl.getMechanismContext(GSSManagerImpl.java:223)
> 2015-04-29 15:49:34,665 INFO org.apache.hive.spark.client.SparkClientImpl:      at sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:212)
> 2015-04-29 15:49:34,665 INFO org.apache.hive.spark.client.SparkClientImpl:      at sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:179)
> 2015-04-29 15:49:34,665 INFO org.apache.hive.spark.client.SparkClientImpl:      at com.sun.security.sasl.gsskerb.GssKrb5Client.evaluateChallenge(GssKrb5Client.java:193)
> 2015-04-29 15:49:34,665 INFO org.apache.hive.spark.client.SparkClientImpl:      ... 41 more...
> {code}
> For MR, it works fine. I reproduced the issue on a newly provisioned CDH-5.4.1 cluster, by explicitly kdestroy on the HS2 host first, and later submitting HoS query through beeline on a different host.
> According to the user's investigation, it might be an issue with spark-submit.sh.
> Here's the quote:
> {quote}
> I think I found it .. HS2 calls out via Bash to set up the spark container for the HS2 session – I am not seeing any keytab access for this new session – so having a krb5cc_xx available solves the hive need for an active TGT.
> Basically bash is laundering the access .. the TGT that HS2 is carrying isn’t passed on through to bash – because bash doesn’t have a KRB5CCNAME to go looking for so it cannot pass the TGT on even if one existed.
> {quote}



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)