You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@hive.apache.org by "weiliang hao (Jira)" <ji...@apache.org> on 2022/11/15 08:32:00 UTC

[jira] [Created] (HIVE-26739) When kerberos is enabled, hiveserver2 error connecting metastore: No valid credentials provided

weiliang hao created HIVE-26739:
-----------------------------------

             Summary: When kerberos is enabled, hiveserver2 error connecting metastore: No valid credentials provided
                 Key: HIVE-26739
                 URL: https://issues.apache.org/jira/browse/HIVE-26739
             Project: Hive
          Issue Type: Bug
    Affects Versions: 3.0.0, 2.0.0
            Reporter: weiliang hao


If the environment variable HADOOP_USER_NAME exists, hiveserver2 error connecting metastore: No valid credentials provided.

There is a problem with the getUGI method of the org.apache.hadoop.hive.shims.Utils class to obtain the UGI. It should be added to determine whether 'UserGroupInformation IsSecurityEnabled () `. If it is true, it returns' UserGroupInformation GetCurrentUser() `. If it is false, the user name is obtained from the environment variable HADOOP_USER_NAME to create a UGI

 

```

2022-11-15T15:41:06,971 ERROR [HiveServer2-Background-Pool: Thread-36] transport.TSaslTransport: SASL negotiation failure

javax.security.sasl.SaslException: GSS initiate failed

        at com.sun.security.sasl.gsskerb.GssKrb5Client.evaluateChallenge(GssKrb5Client.java:211) ~[?:1.8.0_144]

        at org.apache.thrift.transport.TSaslClientTransport.handleSaslStartMessage(TSaslClientTransport.java:94) ~[hive-exec-3.1.3.jar:3.1.3]

        at org.apache.thrift.transport.TSaslTransport.open(TSaslTransport.java:271) ~[hive-exec-3.1.3.jar:3.1.3]

        at org.apache.thrift.transport.TSaslClientTransport.open(TSaslClientTransport.java:37) ~[hive-exec-3.1.3.jar:3.1.3]

        at org.apache.hadoop.hive.metastore.security.TUGIAssumingTransport$1.run(TUGIAssumingTransport.java:51) ~[hive-exec-3.1.3.jar:3.1.3]

        at org.apache.hadoop.hive.metastore.security.TUGIAssumingTransport$1.run(TUGIAssumingTransport.java:48) ~[hive-exec-3.1.3.jar:3.1.3]

        at java.security.AccessController.doPrivileged(Native Method) ~[?:1.8.0_144]

        at javax.security.auth.Subject.doAs(Subject.java:422) ~[?:1.8.0_144]

        at org.apache.hadoop.security.UserGroupInformation.doAs(UserGroupInformation.java:1730) ~[hadoop-common-3.2.1.jar:?]

        at org.apache.hadoop.hive.metastore.security.TUGIAssumingTransport.open(TUGIAssumingTransport.java:48) ~[hive-exec-3.1.3.jar:3.1.3]

        at org.apache.hadoop.hive.metastore.HiveMetaStoreClient.open(HiveMetaStoreClient.java:516) ~[hive-exec-3.1.3.jar:3.1.3]

        at org.apache.hadoop.hive.metastore.HiveMetaStoreClient.<init>(HiveMetaStoreClient.java:224) ~[hive-exec-3.1.3.jar:3.1.3]

        at org.apache.hadoop.hive.ql.metadata.SessionHiveMetaStoreClient.<init>(SessionHiveMetaStoreClient.java:94) ~[hive-exec-3.1.3.jar:3.1.3]

        at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method) ~[?:1.8.0_144]

        at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62) ~[?:1.8.0_144]

        at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45) ~[?:1.8.0_144]

        at java.lang.reflect.Constructor.newInstance(Constructor.java:423) ~[?:1.8.0_144]

        at org.apache.hadoop.hive.metastore.utils.JavaUtils.newInstance(JavaUtils.java:84) ~[hive-exec-3.1.3.jar:3.1.3]

        at org.apache.hadoop.hive.metastore.RetryingMetaStoreClient.<init>(RetryingMetaStoreClient.java:95) ~[hive-exec-3.1.3.jar:3.1.3]

        at org.apache.hadoop.hive.metastore.RetryingMetaStoreClient.getProxy(RetryingMetaStoreClient.java:148) ~[hive-exec-3.1.3.jar:3.1.3]

        at org.apache.hadoop.hive.metastore.RetryingMetaStoreClient.getProxy(RetryingMetaStoreClient.java:119) ~[hive-exec-3.1.3.jar:3.1.3]

        at org.apache.hadoop.hive.ql.metadata.Hive.createMetaStoreClient(Hive.java:4306) ~[hive-exec-3.1.3.jar:3.1.3]

        at org.apache.hadoop.hive.ql.metadata.Hive.getMSC(Hive.java:4374) ~[hive-exec-3.1.3.jar:3.1.3]

        at org.apache.hadoop.hive.ql.metadata.Hive.getMSC(Hive.java:4354) ~[hive-exec-3.1.3.jar:3.1.3]

        at org.apache.hadoop.hive.ql.metadata.Hive.getDatabase(Hive.java:1662) ~[hive-exec-3.1.3.jar:3.1.3]

        at org.apache.hadoop.hive.ql.metadata.Hive.databaseExists(Hive.java:1651) ~[hive-exec-3.1.3.jar:3.1.3]

        at org.apache.hadoop.hive.ql.exec.DDLTask.showTablesOrViews(DDLTask.java:2824) ~[hive-exec-3.1.3.jar:3.1.3]

        at org.apache.hadoop.hive.ql.exec.DDLTask.execute(DDLTask.java:509) ~[hive-exec-3.1.3.jar:3.1.3]

        at org.apache.hadoop.hive.ql.exec.Task.executeTask(Task.java:205) ~[hive-exec-3.1.3.jar:3.1.3]

        at org.apache.hadoop.hive.ql.exec.TaskRunner.runSequential(TaskRunner.java:97) ~[hive-exec-3.1.3.jar:3.1.3]

        at org.apache.hadoop.hive.ql.Driver.launchTask(Driver.java:2664) ~[hive-exec-3.1.3.jar:3.1.3]

        at org.apache.hadoop.hive.ql.Driver.execute(Driver.java:2335) ~[hive-exec-3.1.3.jar:3.1.3]

        at org.apache.hadoop.hive.ql.Driver.runInternal(Driver.java:2011) ~[hive-exec-3.1.3.jar:3.1.3]

        at org.apache.hadoop.hive.ql.Driver.run(Driver.java:1709) ~[hive-exec-3.1.3.jar:3.1.3]

        at org.apache.hadoop.hive.ql.Driver.run(Driver.java:1703) ~[hive-exec-3.1.3.jar:3.1.3]

        at org.apache.hadoop.hive.ql.reexec.ReExecDriver.run(ReExecDriver.java:157) ~[hive-exec-3.1.3.jar:3.1.3]

        at org.apache.hive.service.cli.operation.SQLOperation.runQuery(SQLOperation.java:224) ~[hive-service-3.1.3.jar:3.1.3]

        at org.apache.hive.service.cli.operation.SQLOperation.access$700(SQLOperation.java:87) ~[hive-service-3.1.3.jar:3.1.3]

        at org.apache.hive.service.cli.operation.SQLOperation$BackgroundWork$1.run(SQLOperation.java:316) ~[hive-service-3.1.3.jar:3.1.3]

        at java.security.AccessController.doPrivileged(Native Method) ~[?:1.8.0_144]

        at javax.security.auth.Subject.doAs(Subject.java:422) ~[?:1.8.0_144]

        at org.apache.hadoop.security.UserGroupInformation.doAs(UserGroupInformation.java:1730) ~[hadoop-common-3.2.1.jar:?]

        at org.apache.hive.service.cli.operation.SQLOperation$BackgroundWork.run(SQLOperation.java:329) ~[hive-service-3.1.3.jar:3.1.3]

        at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511) ~[?:1.8.0_144]

        at java.util.concurrent.FutureTask.run(FutureTask.java:266) ~[?:1.8.0_144]

        at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) ~[?:1.8.0_144]

        at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) ~[?:1.8.0_144]

        at java.lang.Thread.run(Thread.java:748) [?:1.8.0_144]

Caused by: org.ietf.jgss.GSSException: No valid credentials provided (Mechanism level: Failed to find any Kerberos tgt)

        at sun.security.jgss.krb5.Krb5InitCredential.getInstance(Krb5InitCredential.java:147) ~[?:1.8.0_144]

        at sun.security.jgss.krb5.Krb5MechFactory.getCredentialElement(Krb5MechFactory.java:122) ~[?:1.8.0_144]

        at sun.security.jgss.krb5.Krb5MechFactory.getMechanismContext(Krb5MechFactory.java:187) ~[?:1.8.0_144]

        at sun.security.jgss.GSSManagerImpl.getMechanismContext(GSSManagerImpl.java:224) ~[?:1.8.0_144]

        at sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:212) ~[?:1.8.0_144]

        at sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:179) ~[?:1.8.0_144]

        at com.sun.security.sasl.gsskerb.GssKrb5Client.evaluateChallenge(GssKrb5Client.java:192) ~[?:1.8.0_144]

        ... 47 more

```



--
This message was sent by Atlassian Jira
(v8.20.10#820010)