Cannot connect to HIVE with Secured kerberos. I am

2020-02-15 04:55发布

站内问答 / 移动开发
779 1 4 

 {
String driverName = "com.cloudera.hive.jdbc4.HS2Driver";
conf.set("hadoop.security.authentication", "kerberos");
info("Getting Connection"); 
UserGroupInformation.setConfiguration(conf);    
info("Getting Connection"); `info("Getting Connection");
UserGroupInformation.setConfiguration(conf);


UserGroupInformation.loginUserFromKeytab("****@***.***.COM","etc/****.keytab");
Class.forName(driverName); info("Getting Connection");
Connection con = DriverManager.getConnection("jdbc:hive2://localhost:10000;AuthMech=1;KrbRealm=EX‌​AMPLE.COM;KrbHostFQDN=hs2.example.com;KrbServiceName=hive");
info("Got Connection");
}

{ String driverName = "com.cloudera.hive.jdbc4.HS2Driver";
conf.set("hadoop.security.authentication", "kerberos"); info("Getting Connection"); UserGroupInformation.setConfiguration(conf);
UserGroupInformation.loginUserFromKeytab("****@..COM","etc/****.keytab");
Class.forName(driverName); info("Getting Connection"); Connection con =
DriverManager.getConnection("jdbc:hive2://localhost:10000;AuthMech=1;KrbRealm=EX‌​AMPLE.COM;KrbHostFQDN=hs2.example.com;KrbServiceName=hive"); info("Got Connection"); }

18:47:51,894 ERROR [1] Error in section Run at line unknown. An unexpected exception occurred in the script. Script section: Run. Caused by: LoginException occured. Unable to obtain Princpal Name for authentication java.sql.SQLException: [Simba]HiveJDBCDriver Error initialized or created transport for authentication: CONN_KERBEROS_AUTHENTICATION_ERROR_GET_TICKETCACHE. at com.cloudera.hive.hivecommon.api.HiveServer2ClientFactory.createTransport(Unknown Source) at com.cloudera.hive.hive.api.ExtendedHS2Factory.createClient(Unknown Source) at com.cloudera.hive.hivecommon.core.HiveJDBCConnection.connect(Unknown Source) at com.cloudera.hive.jdbc.common.BaseConnectionFactory.doConnect(Unknown Source) at com.cloudera.hive.jdbc.common.AbstractDriver.connect(Unknown Source) at java.sql.DriverManager.getConnection(DriverManager.java:582) at java.sql.DriverManager.getConnection(DriverManager.java:207) at script.run(script.java:85) at oracle.oats.scripting.modules.basic.api.IteratingVUser.run(IteratingVUser.java:351) at oracle.oats.scripting.modules.basic.api.internal.IteratingAgent.run(IteratingAgent.java:801) Caused by: com.cloudera.hive.support.exceptions.GeneralException: [Simba]HiveJDBCDriver Error initialized or created transport for authentication: CONN_KERBEROS_AUTHENTICATION_ERROR_GET_TICKETCACHE. ... 10 more Caused by: com.cloudera.hive.support.exceptions.GeneralException: CONN_KERBEROS_AUTHENTICATION_ERROR_GET_TICKETCACHE ... 10 more Caused by: javax.security.auth.login.LoginException: Unable to obtain Princpal Name for authentication at com.sun.security.auth.module.Krb5LoginModule.promptForName(Krb5LoginModule.java:733) at com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:629) at com.sun.security.auth.module.Krb5LoginModule.login(Krb5LoginModule.java:542) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25) at java.lang.reflect.Method.invoke(Method.java:597) at javax.security.auth.login.LoginContext.invoke(LoginContext.java:769) at javax.security.auth.login.LoginContext.access$000(LoginContext.java:186) at javax.security.auth.login.LoginContext$5.run(LoginContext.java:706) at java.security.AccessController.doPrivileged(Native Method) at javax.security.auth.login.LoginContext.invokeCreatorPriv(LoginContext.java:703) at javax.security.auth.login.LoginContext.login(LoginContext.java:575) at com.cloudera.hive.jdbc.kerberos.Kerberos.getSubjectViaTicketCache(Unknown Source) at com.cloudera.hive.hivecommon.api.HiveServer2ClientFactory.createTransport(Unknown Source) at com.cloudera.hive.hive.api.ExtendedHS2Factory.createClient(Unknown Source) at com.cloudera.hive.hivecommon.core.HiveJDBCConnection.connect(Unknown Source) at com.cloudera.hive.jdbc.common.BaseConnectionFactory.doConnect(Unknown Source) at com.cloudera.hive.jdbc.common.AbstractDriver.connect(Unknown Source) at java.sql.DriverManager.getConnection(DriverManager.java:582) at java.sql.DriverManager.getConnection(DriverManager.java:207) at script.run(script.java:85) at oracle.oats.scripting.modules.basic.api.IteratingVUser.run(IteratingVUser.java:351) at oracle.oats.scripting.modules.basic.api.internal.IteratingAgent.run(IteratingAgent.java:801) at java.lang.Thread.run(Thread.java:619)

1条回答
闹够了就滚
2楼-- · 2020-02-15 05:16

Hive JDBC drivers don't use the Hadoop Auth libraries, because they are supposed to be able to connect from outside the cluster, with minimal dependencies on Hadoop libs.
So, in practise, your UGI settings are ignored.

But Hive JDBC drivers use the Thrift client libraries, which support raw JAAS configuration for Kerberos auth.

Sample use of system props on command-line:

java -Djava.security.krb5.conf=/etc/krb5.conf \
     -Djava.security.auth.login.config=./my_jaas.conf \
     *****

Sample "my_jaas.conf" to get a private Kerberos ticket (not read from cache, not written to cache) with a password provided in a keytab file:

com.sun.security.jgss.krb5.initiate {
  com.sun.security.auth.module.Krb5LoginModule
    required
  useTicketCache=false
  doNotPrompt=true
  useKeyTab=true
  keyTab="file:/some/path/to/my_login.keytab"
  principal="my_login@MY.REALM"
  debug=true;
};

Note that the syntax above works with Sun/Oracle JDK and with OpenJDK, but not with IBM JDK which uses a different syntax...
It will not work either with the DataDirect connector (shipped with Oracle, IBM, Microstrategy etc.) which expects a specific "subject" in the conf.

And that's it. The JDBC driver will automatically invoke JAAS when it detects that the URL requests a Kerberos connection, and JAAS will handle the dirty work.

PS: debugging security configuration issues is a hassle, but you have a couple of properties to enable the debug traces:

-Dsun.security.krb5.debug=true
-Djava.security.debug=gssloginconfig,configfile,configparser,logincontext
查看更多
0人赞 添加讨论(0) 举报
登录 后发表回答
相关问题
查看全部
相关文章
查看全部
收藏的人(4)