You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@hive.apache.org by "Vihang Karajgaonkar (JIRA)" <ji...@apache.org> on 2016/07/28 18:38:20 UTC

[jira] [Created] (HIVE-14372) Odd behavior with Beeline parsing server principal in Kerberized environment

Vihang Karajgaonkar created HIVE-14372:
------------------------------------------

             Summary: Odd behavior with Beeline parsing server principal in Kerberized environment
                 Key: HIVE-14372
                 URL: https://issues.apache.org/jira/browse/HIVE-14372
             Project: Hive
          Issue Type: Bug
          Components: Beeline
            Reporter: Vihang Karajgaonkar


Case 1:
I can replace the realm with any garbage realm, and it still works.
{code}
[root@c62-n3 ~]# beeline
Beeline version 0.10.0-cdh4.2.0 by Apache Hive
beeline> !connect jdbc:hive2://c62-n3.intuit.test:10000/;principal=hive/c62-n3.intuit.test@ABC.XYZ 
scan complete in 4ms
Connecting to jdbc:hive2://c62-n3.intuit.test:10000/;principal=hive/c62-n3.intuit.test@ABC.XYZ
Enter username for jdbc:hive2://c62-n3.intuit.test:10000/;principal=hive/c62-n3.intuit.test@ABC.XYZ: 
Enter password for jdbc:hive2://c62-n3.intuit.test:10000/;principal=hive/c62-n3.intuit.test@ABC.XYZ: 
Connected to: Hive (version 0.10.0)
Driver: Hive (version 0.10.0-cdh4.2.0)
Transaction isolation: TRANSACTION_REPEATABLE_READ
0: jdbc:hive2://c62-n3.intuit.test:10000/> show tables;
-----------
tab_name
-----------
t1
t2
test
-----------
3 rows selected (1.749 seconds)
0: jdbc:hive2://c62-n3.intuit.test:10000/>
{code}

Case 2:
I can keep the garbage realm, but if I use a different hostname (notice I've truncated it to c62-n3.intuit instead of c62-n3.intuit.test), it fails (as it should) but the error message is not at all user-friendly.

{code}
[root@c62-n3 ~]# beeline
Beeline version 0.10.0-cdh4.2.0 by Apache Hive
beeline> !connect jdbc:hive2://c62-n3.intuit.test:10000/;principal=hive/c62-n3.intuit@ABC 
scan complete in 4ms
Connecting to jdbc:hive2://c62-n3.intuit.test:10000/;principal=hive/c62-n3.intuit@ABC
Enter username for jdbc:hive2://c62-n3.intuit.test:10000/;principal=hive/c62-n3.intuit@ABC: 
Enter password for jdbc:hive2://c62-n3.intuit.test:10000/;principal=hive/c62-n3.intuit@ABC: 
13/06/10 08:34:29 ERROR transport.TSaslTransport: SASL negotiation failure
javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level: Server not found in Kerberos database (7) - UNKNOWN_SERVER)]
at com.sun.security.sasl.gsskerb.GssKrb5Client.evaluateChallenge(GssKrb5Client.java:194)
at org.apache.thrift.transport.TSaslClientTransport.handleSaslStartMessage(TSaslClientTransport.java:94)
at org.apache.thrift.transport.TSaslTransport.open(TSaslTransport.java:253)
at org.apache.thrift.transport.TSaslClientTransport.open(TSaslClientTransport.java:37)
at org.apache.hadoop.hive.thrift.client.TUGIAssumingTransport$1.run(TUGIAssumingTransport.java:52)
at org.apache.hadoop.hive.thrift.client.TUGIAssumingTransport$1.run(TUGIAssumingTransport.java:49)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.Subject.doAs(Subject.java:396)
at org.apache.hadoop.security.UserGroupInformation.doAs(UserGroupInformation.java:1408)
at org.apache.hadoop.hive.thrift.client.TUGIAssumingTransport.open(TUGIAssumingTransport.java:49)
at org.apache.hive.jdbc.HiveConnection.openTransport(HiveConnection.java:156)
at org.apache.hive.jdbc.HiveConnection.<init>(HiveConnection.java:96)
at org.apache.hive.jdbc.HiveDriver.connect(HiveDriver.java:104)
at java.sql.DriverManager.getConnection(DriverManager.java:582)
at java.sql.DriverManager.getConnection(DriverManager.java:185)
at org.apache.hive.beeline.DatabaseConnection.connect(DatabaseConnection.java:152)
at org.apache.hive.beeline.DatabaseConnection.getConnection(DatabaseConnection.java:193)
at org.apache.hive.beeline.Commands.connect(Commands.java:965)
at org.apache.hive.beeline.Commands.connect(Commands.java:896)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)
at org.apache.hive.beeline.ReflectiveCommandHandler.execute(ReflectiveCommandHandler.java:66)
at org.apache.hive.beeline.BeeLine.dispatch(BeeLine.java:755)
at org.apache.hive.beeline.BeeLine.begin(BeeLine.java:631)
at org.apache.hive.beeline.BeeLine.mainWithInputRedirection(BeeLine.java:380)
at org.apache.hive.beeline.BeeLine.main(BeeLine.java:364)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)
at org.apache.hadoop.util.RunJar.main(RunJar.java:208)
Caused by: GSSException: No valid credentials provided (Mechanism level: Server not found in Kerberos database (7) - UNKNOWN_SERVER)
at sun.security.jgss.krb5.Krb5Context.initSecContext(Krb5Context.java:663)
at sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:230)
at sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:162)
at com.sun.security.sasl.gsskerb.GssKrb5Client.evaluateChallenge(GssKrb5Client.java:175)
... 32 more
Caused by: KrbException: Server not found in Kerberos database (7) - UNKNOWN_SERVER
at sun.security.krb5.KrbTgsRep.<init>(KrbTgsRep.java:64)
at sun.security.krb5.KrbTgsReq.getReply(KrbTgsReq.java:185)
at sun.security.krb5.internal.CredentialsUtil.serviceCreds(CredentialsUtil.java:294)
at sun.security.krb5.internal.CredentialsUtil.acquireServiceCreds(CredentialsUtil.java:106)
at sun.security.krb5.Credentials.acquireServiceCreds(Credentials.java:557)
at sun.security.jgss.krb5.Krb5Context.initSecContext(Krb5Context.java:594)
... 35 more
Caused by: KrbException: Identifier doesn't match expected value (906)
at sun.security.krb5.internal.KDCRep.init(KDCRep.java:133)
at sun.security.krb5.internal.TGSRep.init(TGSRep.java:58)
at sun.security.krb5.internal.TGSRep.<init>(TGSRep.java:53)
at sun.security.krb5.KrbTgsRep.<init>(KrbTgsRep.java:46)
... 40 more
org.apache.thrift.transport.TTransportException: GSS initiate failed
at org.apache.thrift.transport.TSaslTransport.sendAndThrowMessage(TSaslTransport.java:221)
at org.apache.thrift.transport.TSaslTransport.open(TSaslTransport.java:297)
at org.apache.thrift.transport.TSaslClientTransport.open(TSaslClientTransport.java:37)
at org.apache.hadoop.hive.thrift.client.TUGIAssumingTransport$1.run(TUGIAssumingTransport.java:52)
at org.apache.hadoop.hive.thrift.client.TUGIAssumingTransport$1.run(TUGIAssumingTransport.java:49)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.Subject.doAs(Subject.java:396)
at org.apache.hadoop.security.UserGroupInformation.doAs(UserGroupInformation.java:1408)
at org.apache.hadoop.hive.thrift.client.TUGIAssumingTransport.open(TUGIAssumingTransport.java:49)
at org.apache.hive.jdbc.HiveConnection.openTransport(HiveConnection.java:156)
at org.apache.hive.jdbc.HiveConnection.<init>(HiveConnection.java:96)
at org.apache.hive.jdbc.HiveDriver.connect(HiveDriver.java:104)
at java.sql.DriverManager.getConnection(DriverManager.java:582)
at java.sql.DriverManager.getConnection(DriverManager.java:185)
at org.apache.hive.beeline.DatabaseConnection.connect(DatabaseConnection.java:152)
at org.apache.hive.beeline.DatabaseConnection.getConnection(DatabaseConnection.java:193)
at org.apache.hive.beeline.Commands.connect(Commands.java:965)
at org.apache.hive.beeline.Commands.connect(Commands.java:896)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)
at org.apache.hive.beeline.ReflectiveCommandHandler.execute(ReflectiveCommandHandler.java:66)
at org.apache.hive.beeline.BeeLine.dispatch(BeeLine.java:755)
at org.apache.hive.beeline.BeeLine.begin(BeeLine.java:631)
at org.apache.hive.beeline.BeeLine.mainWithInputRedirection(BeeLine.java:380)
at org.apache.hive.beeline.BeeLine.main(BeeLine.java:364)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)
at org.apache.hadoop.util.RunJar.main(RunJar.java:208)
Error: Invalid URL: jdbc:hive2://c62-n3.intuit.test:10000/;principal=hive/c62-n3.intuit@ABC (state=08S01,code=0)
{code}

Case 3:
If I truncate the hostname portion of the principal to the shortname (hive/c62-n3), it works. This should fail, since the principal 'hive/c62-n3' does not exist.
{code}
[root@c62-n3 ~]# beeline
Beeline version 0.10.0-cdh4.2.0 by Apache Hive
beeline> !connect jdbc:hive2://c62-n3.intuit.test:10000/;principal=hive/c62-n3@ABC 
scan complete in 3ms
Connecting to jdbc:hive2://c62-n3.intuit.test:10000/;principal=hive/c62-n3@ABC
Enter username for jdbc:hive2://c62-n3.intuit.test:10000/;principal=hive/c62-n3@ABC: 
Enter password for jdbc:hive2://c62-n3.intuit.test:10000/;principal=hive/c62-n3@ABC: 
Connected to: Hive (version 0.10.0)
Driver: Hive (version 0.10.0-cdh4.2.0)
Transaction isolation: TRANSACTION_REPEATABLE_READ
0: jdbc:hive2://c62-n3.intuit.test:10000/> show tables;
-----------
tab_name
-----------
t1
t2
test
-----------
3 rows selected (1.553 seconds)
0: jdbc:hive2://c62-n3.intuit.test:10000/>
{code}



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)