无法使用 Secured kerberos 连接到 HIVE.我正在使用 UserGroupInformation.loginUserFromKeytab() [英] Cannot connect to HIVE with Secured kerberos. I am using UserGroupInformation.loginUserFromKeytab()

问题描述

 {
String driverName = "com.cloudera.hive.jdbc4.HS2Driver";
conf.set("hadoop.security.authentication", "kerberos");
info("Getting Connection"); 
UserGroupInformation.setConfiguration(conf);    
info("Getting Connection"); `info("Getting Connection");
UserGroupInformation.setConfiguration(conf);


UserGroupInformation.loginUserFromKeytab("****@***.***.COM","etc/****.keytab");
Class.forName(driverName); info("Getting Connection");
Connection con = DriverManager.getConnection("jdbc:hive2://localhost:10000;AuthMech=1;KrbRealm=EX‌​AMPLE.COM;KrbHostFQDN=hs2.example.com;KrbServiceName=hive");
info("Got Connection");
}

{String driverName = "com.cloudera.hive.jdbc4.HS2Driver";
conf.set("hadoop.security.authentication", "kerberos");info("获取连接");UserGroupInformation.setConfiguration(conf);
UserGroupInformation.loginUserFromKeytab("****@..COM","etc/****.keytab");
Class.forName(driverName);info("获取连接");连接控制 =
DriverManager.getConnection("jdbc:hive2://localhost:10000;AuthMech=1;KrbRealm=EX‌ AMPLE.COM;KrbHostFQDN=hs2.example.com;KrbServiceName=hive");info("连接成功");}

{ String driverName = "com.cloudera.hive.jdbc4.HS2Driver";
conf.set("hadoop.security.authentication", "kerberos"); info("Getting Connection"); UserGroupInformation.setConfiguration(conf);
UserGroupInformation.loginUserFromKeytab("****@..COM","etc/****.keytab");
Class.forName(driverName); info("Getting Connection"); Connection con =
DriverManager.getConnection("jdbc:hive2://localhost:10000;AuthMech=1;KrbRealm=EX‌​AMPLE.COM;KrbHostFQDN=hs2.example.com;KrbServiceName=hive"); info("Got Connection"); }

18:47:51,894 错误 [1] Run at line unknown 部分出错.脚本中发生意外异常.脚本部分:运行.引起:发生登录异常.无法获取用于身份验证的主要名称java.sql.SQLException:[Simba]HiveJDBCDriver 错误初始化或创建身份验证传输:CONN_KERBEROS_AUTHENTICATION_ERROR_GET_TICKETCACHE.在 com.cloudera.hive.hivecommon.api.HiveServer2ClientFactory.createTransport(来源不明)在 com.cloudera.hive.hive.api.ExtendedHS2Factory.createClient(来源不明)在 com.cloudera.hive.hivecommon.core.HiveJDBCConnection.connect(来源不明)在 com.cloudera.hive.jdbc.common.BaseConnectionFactory.doConnect(来源不明)在 com.cloudera.hive.jdbc.common.AbstractDriver.connect(来源不明)在 java.sql.DriverManager.getConnection(DriverManager.java:582)在 java.sql.DriverManager.getConnection(DriverManager.java:207)在 script.run(script.java:85)在 oracle.oats.scripting.modules.basic.api.IteratingVUser.run(IteratingVUser.java:351)在 oracle.oats.scripting.modules.basic.api.internal.IteratingAgent.run(IteratingAgent.java:801)引起:com.cloudera.hive.support.exceptions.GeneralException:[Simba]HiveJDBCDriver 错误初始化或创建身份验证传输:CONN_KERBEROS_AUTHENTICATION_ERROR_GET_TICKETCACHE.……还有 10 个引起:com.cloudera.hive.support.exceptions.GeneralException:CONN_KERBEROS_AUTHENTICATION_ERROR_GET_TICKETCACHE……还有 10 个引起:javax.security.auth.login.LoginException:无法获得用于身份验证的主要名称在 com.sun.security.auth.module.Krb5LoginModule.promptForName(Krb5LoginModule.java:733)在 com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:629)在 com.sun.security.auth.module.Krb5LoginModule.login(Krb5LoginModule.java:542)在 sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)在 sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)在 sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)在 java.lang.reflect.Method.invoke(Method.java:597)在 javax.security.auth.login.LoginContext.invoke(LoginContext.java:769)在 javax.security.auth.login.LoginContext.access$000(LoginContext.java:186)在 javax.security.auth.login.LoginContext$5.run(LoginContext.java:706)在 java.security.AccessController.doPrivileged(Native Method)在 javax.security.auth.login.LoginContext.invokeCreatorPriv(LoginContext.java:703)在 javax.security.auth.login.LoginContext.login(LoginContext.java:575)在 com.cloudera.hive.jdbc.kerberos.Kerberos.getSubjectViaTicketCache(来源不明)在 com.cloudera.hive.hivecommon.api.HiveServer2ClientFactory.createTransport(来源不明)在 com.cloudera.hive.hive.api.ExtendedHS2Factory.createClient(来源不明)在 com.cloudera.hive.hivecommon.core.HiveJDBCConnection.connect(来源不明)在 com.cloudera.hive.jdbc.common.BaseConnectionFactory.doConnect(来源不明)在 com.cloudera.hive.jdbc.common.AbstractDriver.connect(来源不明)在 java.sql.DriverManager.getConnection(DriverManager.java:582)在 java.sql.DriverManager.getConnection(DriverManager.java:207)在 script.run(script.java:85)在 oracle.oats.scripting.modules.basic.api.IteratingVUser.run(IteratingVUser.java:351)在 oracle.oats.scripting.modules.basic.api.internal.IteratingAgent.run(IteratingAgent.java:801)在 java.lang.Thread.run(Thread.java:619)

18:47:51,894 ERROR [1] Error in section Run at line unknown. An unexpected exception occurred in the script. Script section: Run. Caused by: LoginException occured. Unable to obtain Princpal Name for authentication java.sql.SQLException: [Simba]HiveJDBCDriver Error initialized or created transport for authentication: CONN_KERBEROS_AUTHENTICATION_ERROR_GET_TICKETCACHE. at com.cloudera.hive.hivecommon.api.HiveServer2ClientFactory.createTransport(Unknown Source) at com.cloudera.hive.hive.api.ExtendedHS2Factory.createClient(Unknown Source) at com.cloudera.hive.hivecommon.core.HiveJDBCConnection.connect(Unknown Source) at com.cloudera.hive.jdbc.common.BaseConnectionFactory.doConnect(Unknown Source) at com.cloudera.hive.jdbc.common.AbstractDriver.connect(Unknown Source) at java.sql.DriverManager.getConnection(DriverManager.java:582) at java.sql.DriverManager.getConnection(DriverManager.java:207) at script.run(script.java:85) at oracle.oats.scripting.modules.basic.api.IteratingVUser.run(IteratingVUser.java:351) at oracle.oats.scripting.modules.basic.api.internal.IteratingAgent.run(IteratingAgent.java:801) Caused by: com.cloudera.hive.support.exceptions.GeneralException: [Simba]HiveJDBCDriver Error initialized or created transport for authentication: CONN_KERBEROS_AUTHENTICATION_ERROR_GET_TICKETCACHE. ... 10 more Caused by: com.cloudera.hive.support.exceptions.GeneralException: CONN_KERBEROS_AUTHENTICATION_ERROR_GET_TICKETCACHE ... 10 more Caused by: javax.security.auth.login.LoginException: Unable to obtain Princpal Name for authentication at com.sun.security.auth.module.Krb5LoginModule.promptForName(Krb5LoginModule.java:733) at com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:629) at com.sun.security.auth.module.Krb5LoginModule.login(Krb5LoginModule.java:542) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25) at java.lang.reflect.Method.invoke(Method.java:597) at javax.security.auth.login.LoginContext.invoke(LoginContext.java:769) at javax.security.auth.login.LoginContext.access$000(LoginContext.java:186) at javax.security.auth.login.LoginContext$5.run(LoginContext.java:706) at java.security.AccessController.doPrivileged(Native Method) at javax.security.auth.login.LoginContext.invokeCreatorPriv(LoginContext.java:703) at javax.security.auth.login.LoginContext.login(LoginContext.java:575) at com.cloudera.hive.jdbc.kerberos.Kerberos.getSubjectViaTicketCache(Unknown Source) at com.cloudera.hive.hivecommon.api.HiveServer2ClientFactory.createTransport(Unknown Source) at com.cloudera.hive.hive.api.ExtendedHS2Factory.createClient(Unknown Source) at com.cloudera.hive.hivecommon.core.HiveJDBCConnection.connect(Unknown Source) at com.cloudera.hive.jdbc.common.BaseConnectionFactory.doConnect(Unknown Source) at com.cloudera.hive.jdbc.common.AbstractDriver.connect(Unknown Source) at java.sql.DriverManager.getConnection(DriverManager.java:582) at java.sql.DriverManager.getConnection(DriverManager.java:207) at script.run(script.java:85) at oracle.oats.scripting.modules.basic.api.IteratingVUser.run(IteratingVUser.java:351) at oracle.oats.scripting.modules.basic.api.internal.IteratingAgent.run(IteratingAgent.java:801) at java.lang.Thread.run(Thread.java:619)

推荐答案

Hive JDBC 驱动程序不使用 Hadoop Auth 库，因为它们应该能够从集群的外部连接，对 Hadoop 库的依赖最小.
因此，实际上，您的 UGI 设置会被忽略.

Hive JDBC drivers don't use the Hadoop Auth libraries, because they are supposed to be able to connect from outside the cluster, with minimal dependencies on Hadoop libs.
So, in practise, your UGI settings are ignored.

但 Hive JDBC 驱动程序使用 Thrift 客户端库，该库支持用于 Kerberos 身份验证的原始 JAAS 配置.

But Hive JDBC drivers use the Thrift client libraries, which support raw JAAS configuration for Kerberos auth.

在命令行中使用系统道具的示例:

Sample use of system props on command-line:

java -Djava.security.krb5.conf=/etc/krb5.conf 
     -Djava.security.auth.login.config=./my_jaas.conf 
     *****

使用密钥表文件中提供的密码获取私有 Kerberos 票证(不从缓存读取，不写入缓存)的示例my_jaas.conf":

Sample "my_jaas.conf" to get a private Kerberos ticket (not read from cache, not written to cache) with a password provided in a keytab file:

com.sun.security.jgss.krb5.initiate {
  com.sun.security.auth.module.Krb5LoginModule
    required
  useTicketCache=false
  doNotPrompt=true
  useKeyTab=true
  keyTab="file:/some/path/to/my_login.keytab"
  principal="my_login@MY.REALM"
  debug=true;
};

注意上述语法适用于 Sun/Oracle JDK 和 OpenJDK，但不适用于使用不同语法的 IBM JDK...
它也不适用于 DataDirect连接器(随 Oracle、IBM、Microstrategy 等一起提供)，它期望在 conf 中有一个特定的主题".

Note that the syntax above works with Sun/Oracle JDK and with OpenJDK, but not with IBM JDK which uses a different syntax...
It will not work either with the DataDirect connector (shipped with Oracle, IBM, Microstrategy etc.) which expects a specific "subject" in the conf.

就是这样.JDBC 驱动程序在检测到 URL 请求 Kerberos 连接时会自动调用 JAAS，而 JAAS 将处理这些脏活.

And that's it. The JDBC driver will automatically invoke JAAS when it detects that the URL requests a Kerberos connection, and JAAS will handle the dirty work.

PS:调试安全配置问题很麻烦，但您有几个属性可以启用调试跟踪:

PS: debugging security configuration issues is a hassle, but you have a couple of properties to enable the debug traces:

-Dsun.security.krb5.debug=true
-Djava.security.debug=gssloginconfig,configfile,configparser,logincontext

这篇关于无法使用 Secured kerberos 连接到 HIVE.我正在使用 UserGroupInformation.loginUserFromKeytab()的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！