使用密钥表连接到安全的 kerberos 认证集群中的配置单元 [英] connect to hive in a secured kerberos authenticated cluster using keytab

问题描述

我使用 CDH 5.3.3 并使用 hive JDBC 驱动程序连接到安全集群中的 hive.我尝试使用

I am using CDH 5.3.3 and using hive JDBC driver to connect to hive in the secured cluster. I tried to login using keytab using

UserGroupInformation.loginUserFromKeytab(lprincipal, keytabpath);

UserGroupInformation.loginUserFromKeytab(lprincipal, keytabpath);

我对 hive url 使用了以下格式.

I have used the following format for hive url.

jdbc:hive2://localhost:10000;AuthMech=1;KrbRealm=EXAMPLE.COM;KrbHostFQDN=hs2.example.com;KrbServiceName=hive

jdbc:hive2://localhost:10000;AuthMech=1;KrbRealm=EXAMPLE.COM; KrbHostFQDN=hs2.example.com;KrbServiceName=hive

示例代码:

// Authenticating Kerberos principal
System.out.println("Principal Authentication: ");
final String user = "cloudera@CLOUDERA.COM";
final String keyPath = "cloudera.keytab";
UserGroupInformation.loginUserFromKeytab(user, keyPath);
Connection connection = DriverManager.getConnection(url);

网址格式如下:

jdbc:hive2://localhost:10000;AuthMech=1;KrbRealm=EXAMPLE.COM;KrbHostFQDN=hs2.example.com;KrbServiceName=hive

jdbc:hive2://localhost:10000;AuthMech=1;KrbRealm=EXAMPLE.COM; KrbHostFQDN=hs2.example.com;KrbServiceName=hive

我收到以下异常，如果在确定此问题的原因方面提供一些帮助，我将不胜感激:

I get the following exception, I would appreciate if some help is provided in identifying the cause of this issue:

com.cloudera.hive.support.exceptions.GeneralException: CONN_KERBEROS_AUTHENTICATION_ERROR_GET_TICKETCACHE

javax.security.auth.login.LoginException: Unable to obtain Princpal Name for authentication
at com.sun.security.auth.module.Krb5LoginModule.promptForName(Krb5LoginModule.java:800)
at com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:671)
at com.sun.security.auth.module.Krb5LoginModule.login(Krb5LoginModule.java:584)
at sun.reflect.NativeMethodAccessorImpl.inv

对于不同的集群分布，添加调试后，我看到以下异常:

FOr a differn distribution of cluster, after adding debug, I see the following exception :

DEBUG org.apache.hadoop.security.UserGroupInformation: hadoop login
DEBUG org.apache.hadoop.security.UserGroupInformation: hadoop login commit
DEBUG org.apache.hadoop.security.UserGroupInformation: using kerberos            user:null
DEBUG org.apache.hadoop.security.UserGroupInformation: using local user:UnixPrincipal: user66
DEBUG org.apache.hadoop.security.UserGroupInformation: UGI loginUser:user66 (auth:KERBEROS)
DEBUG org.apache.hadoop.security.UserGroupInformation: PrivilegedAction as:user66 (auth:KERBEROS) from:org.apache.hadoop.hive.thrift.client.TUGIAssumingTransport.open(TUGIAssumingTransport.java:49)
DEBUG org.apache.thrift.transport.TSaslTransport: opening transport org.apache.thrift.transport.TSaslClientTransport@1f20a0ab
ERROR org.apache.thrift.transport.TSaslTransport: SASL negotiation failure
javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException:   No valid credentials provided (Mechanism level: Failed to find any Kerberos tgt)]
    at   com.sun.security.sasl.gsskerb.GssKrb5Client.evaluateChallenge(GssKrb5Client.java:212)
     at org.apache.thrift.transport.TSaslClientTransport.handleSaslStartMessage(TSaslClientTransport.java:94)
    at org.apache.thrift.transport.TSaslTransport.open(TSaslTransport.java:253)
    at org.apache.thrift.transport.TSaslClientTransport.open(TSaslClientTransport.java:37)
    at org.apache.hadoop.hive.thrift.client.TUGIAssumingTransport$1.run(TUGIAssumingTransport.java:52)
    at org.apache.hadoop.hive.thrift.client.TUGIAssumingTransport$1.run(TUGIAssumingTransport.java:49)
    at java.security.AccessController.doPrivileged(Native Method)
    at javax.security.auth.Subject.doAs(Subject.java:415)
    at org.apache.hadoop.security.UserGroupInformation.doAs(UserGroupInformation.java:1548)
    at org.apache.hadoop.hive.thrift.client.TUGIAssumingTransport.open(TUGIAssumingTransport.java:49)
    at org.apache.hive.jdbc.HiveConnection.openTransport(HiveConnection.java:156)
    at org.apache.hive.jdbc.HiveConnection.<init>(HiveConnection.java:96)
    at org.apache.hive.jdbc.HiveDriver.connect(HiveDriver.java:104)

推荐答案

当心，凡人:Kerberos 只是黑魔法.它会吸走你的灵魂.认真的.

Beware, mortal: Kerberos is just black magic. It will suck your soul away. Seriously.

现在，激活 GSSAPI 跟踪的文档记录很差方法，这是您唯一希望放大实际问题(可能是一个神秘的语法错误默认情况下 GSS 以静默方式丢弃的配置文件)

Now, there is very poorly documented way to activate the GSSAPI trace, that is your only hope of zooming on the actual issue (probably a cryptic syntax error in a config file that GSS silently discards by default)

-Djava.security.debug=gssloginconfig,configfile,configparser,logincontext

咒语原书在那里.

这篇关于使用密钥表连接到安全的 kerberos 认证集群中的配置单元的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！