You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@hive.apache.org by "Junjie Chen (JIRA)" <ji...@apache.org> on 2016/09/08 07:17:21 UTC

[jira] [Commented] (HIVE-14372) Odd behavior with Beeline parsing server principal in Kerberized environment

    [ https://issues.apache.org/jira/browse/HIVE-14372?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15473060#comment-15473060 ] 

Junjie Chen commented on HIVE-14372:
------------------------------------

Hi ~Vihang Karajgaonkar

Ether the JDK API createSaslClient do not accept the realm parameter,  see: createSaslClient(String[] mechanisms, String authorizationId, String protocol, String serverName, Map<String,?> props, CallbackHandler cbh) or underlying security provider com.sun.security.sasl.Provider (GssKrb5Client.java in com.sun.security.sasl.gsskerb.GssKrb5Client) do not accept realm parameter, Since Kerberos V5 mechanism will map hostname to canonical principal format in three ways (refer to [1] and [2]). For example,  the underlying security provider will read your kerberos configuration krb5.conf to generate a realm through the [domain_realm] section. 

Currently, though the hive code check whether there is a realm part, it doesn't use it at all. I think the realm check should be remove according to java API definition, and user could configure realm in krb5.conf.  what do you think?

[1]: https://web.mit.edu/kerberos/krb5-1.13/doc/admin/realm_config.html 
[2]: https://docs.oracle.com/javase/8/docs/technotes/guides/security/jgss/single-signon.html

> Odd behavior with Beeline parsing server principal in Kerberized environment
> ----------------------------------------------------------------------------
>
>                 Key: HIVE-14372
>                 URL: https://issues.apache.org/jira/browse/HIVE-14372
>             Project: Hive
>          Issue Type: Bug
>          Components: Beeline
>            Reporter: Vihang Karajgaonkar
>            Assignee: Junjie Chen
>
> Case 1:
> I can replace the realm with any garbage realm, and it still works.
> {code}
> [root@c62-n3 ~]# beeline
> Beeline version 0.10.0-cdh4.2.0 by Apache Hive
> beeline> !connect jdbc:hive2://c62-n3.intuit.test:10000/;principal=hive/c62-n3.intuit.test@ABC.XYZ 
> scan complete in 4ms
> Connecting to jdbc:hive2://c62-n3.intuit.test:10000/;principal=hive/c62-n3.intuit.test@ABC.XYZ
> Enter username for jdbc:hive2://c62-n3.intuit.test:10000/;principal=hive/c62-n3.intuit.test@ABC.XYZ: 
> Enter password for jdbc:hive2://c62-n3.intuit.test:10000/;principal=hive/c62-n3.intuit.test@ABC.XYZ: 
> Connected to: Hive (version 0.10.0)
> Driver: Hive (version 0.10.0-cdh4.2.0)
> Transaction isolation: TRANSACTION_REPEATABLE_READ
> 0: jdbc:hive2://c62-n3.intuit.test:10000/> show tables;
> -----------
> tab_name
> -----------
> t1
> t2
> test
> -----------
> 3 rows selected (1.749 seconds)
> 0: jdbc:hive2://c62-n3.intuit.test:10000/>
> {code}
> Case 2:
> I can keep the garbage realm, but if I use a different hostname (notice I've truncated it to c62-n3.intuit instead of c62-n3.intuit.test), it fails (as it should) but the error message is not at all user-friendly.
> {code}
> [root@c62-n3 ~]# beeline
> Beeline version 0.10.0-cdh4.2.0 by Apache Hive
> beeline> !connect jdbc:hive2://c62-n3.intuit.test:10000/;principal=hive/c62-n3.intuit@ABC 
> scan complete in 4ms
> Connecting to jdbc:hive2://c62-n3.intuit.test:10000/;principal=hive/c62-n3.intuit@ABC
> Enter username for jdbc:hive2://c62-n3.intuit.test:10000/;principal=hive/c62-n3.intuit@ABC: 
> Enter password for jdbc:hive2://c62-n3.intuit.test:10000/;principal=hive/c62-n3.intuit@ABC: 
> 13/06/10 08:34:29 ERROR transport.TSaslTransport: SASL negotiation failure
> javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level: Server not found in Kerberos database (7) - UNKNOWN_SERVER)]
> at com.sun.security.sasl.gsskerb.GssKrb5Client.evaluateChallenge(GssKrb5Client.java:194)
> at org.apache.thrift.transport.TSaslClientTransport.handleSaslStartMessage(TSaslClientTransport.java:94)
> at org.apache.thrift.transport.TSaslTransport.open(TSaslTransport.java:253)
> at org.apache.thrift.transport.TSaslClientTransport.open(TSaslClientTransport.java:37)
> at org.apache.hadoop.hive.thrift.client.TUGIAssumingTransport$1.run(TUGIAssumingTransport.java:52)
> at org.apache.hadoop.hive.thrift.client.TUGIAssumingTransport$1.run(TUGIAssumingTransport.java:49)
> at java.security.AccessController.doPrivileged(Native Method)
> at javax.security.auth.Subject.doAs(Subject.java:396)
> at org.apache.hadoop.security.UserGroupInformation.doAs(UserGroupInformation.java:1408)
> at org.apache.hadoop.hive.thrift.client.TUGIAssumingTransport.open(TUGIAssumingTransport.java:49)
> at org.apache.hive.jdbc.HiveConnection.openTransport(HiveConnection.java:156)
> at org.apache.hive.jdbc.HiveConnection.<init>(HiveConnection.java:96)
> at org.apache.hive.jdbc.HiveDriver.connect(HiveDriver.java:104)
> at java.sql.DriverManager.getConnection(DriverManager.java:582)
> at java.sql.DriverManager.getConnection(DriverManager.java:185)
> at org.apache.hive.beeline.DatabaseConnection.connect(DatabaseConnection.java:152)
> at org.apache.hive.beeline.DatabaseConnection.getConnection(DatabaseConnection.java:193)
> at org.apache.hive.beeline.Commands.connect(Commands.java:965)
> at org.apache.hive.beeline.Commands.connect(Commands.java:896)
> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
> at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
> at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
> at java.lang.reflect.Method.invoke(Method.java:597)
> at org.apache.hive.beeline.ReflectiveCommandHandler.execute(ReflectiveCommandHandler.java:66)
> at org.apache.hive.beeline.BeeLine.dispatch(BeeLine.java:755)
> at org.apache.hive.beeline.BeeLine.begin(BeeLine.java:631)
> at org.apache.hive.beeline.BeeLine.mainWithInputRedirection(BeeLine.java:380)
> at org.apache.hive.beeline.BeeLine.main(BeeLine.java:364)
> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
> at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
> at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
> at java.lang.reflect.Method.invoke(Method.java:597)
> at org.apache.hadoop.util.RunJar.main(RunJar.java:208)
> Caused by: GSSException: No valid credentials provided (Mechanism level: Server not found in Kerberos database (7) - UNKNOWN_SERVER)
> at sun.security.jgss.krb5.Krb5Context.initSecContext(Krb5Context.java:663)
> at sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:230)
> at sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:162)
> at com.sun.security.sasl.gsskerb.GssKrb5Client.evaluateChallenge(GssKrb5Client.java:175)
> ... 32 more
> Caused by: KrbException: Server not found in Kerberos database (7) - UNKNOWN_SERVER
> at sun.security.krb5.KrbTgsRep.<init>(KrbTgsRep.java:64)
> at sun.security.krb5.KrbTgsReq.getReply(KrbTgsReq.java:185)
> at sun.security.krb5.internal.CredentialsUtil.serviceCreds(CredentialsUtil.java:294)
> at sun.security.krb5.internal.CredentialsUtil.acquireServiceCreds(CredentialsUtil.java:106)
> at sun.security.krb5.Credentials.acquireServiceCreds(Credentials.java:557)
> at sun.security.jgss.krb5.Krb5Context.initSecContext(Krb5Context.java:594)
> ... 35 more
> Caused by: KrbException: Identifier doesn't match expected value (906)
> at sun.security.krb5.internal.KDCRep.init(KDCRep.java:133)
> at sun.security.krb5.internal.TGSRep.init(TGSRep.java:58)
> at sun.security.krb5.internal.TGSRep.<init>(TGSRep.java:53)
> at sun.security.krb5.KrbTgsRep.<init>(KrbTgsRep.java:46)
> ... 40 more
> org.apache.thrift.transport.TTransportException: GSS initiate failed
> at org.apache.thrift.transport.TSaslTransport.sendAndThrowMessage(TSaslTransport.java:221)
> at org.apache.thrift.transport.TSaslTransport.open(TSaslTransport.java:297)
> at org.apache.thrift.transport.TSaslClientTransport.open(TSaslClientTransport.java:37)
> at org.apache.hadoop.hive.thrift.client.TUGIAssumingTransport$1.run(TUGIAssumingTransport.java:52)
> at org.apache.hadoop.hive.thrift.client.TUGIAssumingTransport$1.run(TUGIAssumingTransport.java:49)
> at java.security.AccessController.doPrivileged(Native Method)
> at javax.security.auth.Subject.doAs(Subject.java:396)
> at org.apache.hadoop.security.UserGroupInformation.doAs(UserGroupInformation.java:1408)
> at org.apache.hadoop.hive.thrift.client.TUGIAssumingTransport.open(TUGIAssumingTransport.java:49)
> at org.apache.hive.jdbc.HiveConnection.openTransport(HiveConnection.java:156)
> at org.apache.hive.jdbc.HiveConnection.<init>(HiveConnection.java:96)
> at org.apache.hive.jdbc.HiveDriver.connect(HiveDriver.java:104)
> at java.sql.DriverManager.getConnection(DriverManager.java:582)
> at java.sql.DriverManager.getConnection(DriverManager.java:185)
> at org.apache.hive.beeline.DatabaseConnection.connect(DatabaseConnection.java:152)
> at org.apache.hive.beeline.DatabaseConnection.getConnection(DatabaseConnection.java:193)
> at org.apache.hive.beeline.Commands.connect(Commands.java:965)
> at org.apache.hive.beeline.Commands.connect(Commands.java:896)
> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
> at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
> at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
> at java.lang.reflect.Method.invoke(Method.java:597)
> at org.apache.hive.beeline.ReflectiveCommandHandler.execute(ReflectiveCommandHandler.java:66)
> at org.apache.hive.beeline.BeeLine.dispatch(BeeLine.java:755)
> at org.apache.hive.beeline.BeeLine.begin(BeeLine.java:631)
> at org.apache.hive.beeline.BeeLine.mainWithInputRedirection(BeeLine.java:380)
> at org.apache.hive.beeline.BeeLine.main(BeeLine.java:364)
> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
> at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
> at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
> at java.lang.reflect.Method.invoke(Method.java:597)
> at org.apache.hadoop.util.RunJar.main(RunJar.java:208)
> Error: Invalid URL: jdbc:hive2://c62-n3.intuit.test:10000/;principal=hive/c62-n3.intuit@ABC (state=08S01,code=0)
> {code}
> Case 3:
> If I truncate the hostname portion of the principal to the shortname (hive/c62-n3), it works. This should fail, since the principal 'hive/c62-n3' does not exist.
> {code}
> [root@c62-n3 ~]# beeline
> Beeline version 0.10.0-cdh4.2.0 by Apache Hive
> beeline> !connect jdbc:hive2://c62-n3.intuit.test:10000/;principal=hive/c62-n3@ABC 
> scan complete in 3ms
> Connecting to jdbc:hive2://c62-n3.intuit.test:10000/;principal=hive/c62-n3@ABC
> Enter username for jdbc:hive2://c62-n3.intuit.test:10000/;principal=hive/c62-n3@ABC: 
> Enter password for jdbc:hive2://c62-n3.intuit.test:10000/;principal=hive/c62-n3@ABC: 
> Connected to: Hive (version 0.10.0)
> Driver: Hive (version 0.10.0-cdh4.2.0)
> Transaction isolation: TRANSACTION_REPEATABLE_READ
> 0: jdbc:hive2://c62-n3.intuit.test:10000/> show tables;
> -----------
> tab_name
> -----------
> t1
> t2
> test
> -----------
> 3 rows selected (1.553 seconds)
> 0: jdbc:hive2://c62-n3.intuit.test:10000/>
> {code}



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)