使用keytab连接到安全kerberos身份验证集群中的配置单元 [英] connect to hive in a secured kerberos authenticated cluster using keytab
问题描述
我使用CDH 5.3.3并使用配置单元JDBC驱动程序连接到安全集群中的配置单元。我尝试使用keytab登录使用
UserGroupInformation.loginUserFromKeytab(lprincipal,keytabpath);
我已经使用以下格式为蜂巢URL。
jdbc:hive2:// localhost:10000; AuthMech = 1; KrbRealm = EXAMPLE.COM; KrbHostFQDN = hs2.example.com; KrbServiceName = hive
示例代码:
//验证Kerberos主体
System.out.println(Principal Authentication:);
final String user =cloudera@CLOUDERA.COM;
final String keyPath =cloudera.keytab;
UserGroupInformation.loginUserFromKeytab(user,keyPath);
连接连接= DriverManager.getConnection(url);
网址格式如下:
JDBC:hive2://本地主机:10000; AuthMech = 1; KrbRealm = EXAMPLE.COM;
KrbHostFQDN = hs2.example.com; KrbServiceName = hive
我收到以下例外情况,如果在识别此问题的原因方面提供了一些帮助,问题:
com.cloudera.hive.support.exceptions.GeneralException:CONN_KERBEROS_AUTHENTICATION_ERROR_GET_TICKETCACHE
javax.security .auth.login.LoginException:无法从com.sun.security.auth.module.Krb5LoginModule.promptForName(Krb5LoginModule.java:800)
的com.sun.security获取身份验证
的Princpal名称。 auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:671)
at com.sun.security.auth.module.Krb5LoginModule.login(Krb5LoginModule.java:584)
at sun.reflect.NativeMethodAccessorImpl。 inv
在添加调试之后,如果集群的分布不同,则会看到以下异常:
DEBUG org.apache.hadoop.security.UserGroupInformation:hadoop login
DEBUG org.apache.hadoop .security.UserGroupInformation:hadoop login commit
DEBUG org.apache.hadoop.security.UserGroupInformation:使用kerberos用户:null
DEBUG org.apache.hadoop.security.UserGroupInformation:使用本地用户:UnixPrincipal:user66
调试org.apache.hadoop.security.UserGroupInformation:UGI loginUser:user66(auth:KERBEROS)
DEBUG org.apache.hadoop.security.UserGroupInformation:PrivilegedAction as:user66(auth:KERBEROS)from: org.apache.hadoop.hive.thrift.client.TUGIAssumingTransport.open(TUGIAssumingTransport.java:49)
DEBUG org.apache.thrift.transport.TSaslTransport:打开传输org.apache.thrift.transport.TSaslClientTransport@1f20a0ab
ERROR org.apache.thrift.transport.TSaslTransport:SASL协商失败
javax.security.sasl.SaslException:GSS启动失败[由GSSException引起:没有提供有效的凭据(机制级别:未能找到任何Kerberos tgt)]
at com.sun.security.sasl.gsskerb.GssKrb5Client.evaluateChallen ge(GssKrb5Client.java:212)
at org.apache.thrift.transport.TSaslClientTransport.handleSaslStartMessage(TSaslClientTransport.java:94)
at org.apache.thrift.transport.TSaslTransport.open(TSaslTransport。 java:253)
at org.apache.thrift.transport.TSaslClientTransport.open(TSaslClientTransport.java:37)
at org.apache.hadoop.hive.thrift.client.TUGIAssumingTransport $ 1.run(TUGIAssumingTransport .java:52)
at org.apache.hadoop.hive.thrift.client.TUGIAssumingTransport $ 1.run(TUGIAssumingTransport.java:49)
at java.security.AccessController.doPrivileged(Native Method)$在org.apache.hadoop.security.UserGroupInformation.doAs(UserGroupInformation.java:1548)
(在javax.security.auth.Subject.doAs(Subject.java:415))
。 apache.hadoop.hive.thrift.client.TUGIAssumingTransport.open(TUGIAssumingTransport.java:49)
at org.apache.hive.jdbc.HiveConnection.openTransport(HiveConnection.java:156)
at org。 apache.hive.jdbc.Hiv eConnection。< init>(HiveConnection.java:96)
at org.apache.hive.jdbc.HiveDriver.connect(HiveDriver.java:104)
小心,凡人:Kerberos只是黑魔法。它会吸走你的灵魂。严重。
现在,非常不完善的文档激活GSSAPI跟踪,这是您的唯一希望在实际问题上放大(可能是默认情况下GSS默默丢弃的配置文件中的一个神秘的语法错误)。
-Djava。 security.debug = gssloginconfig,configfile,configparser,logincontext
原始法术书是其中。
I am using CDH 5.3.3 and using hive JDBC driver to connect to hive in the secured cluster. I tried to login using keytab using
UserGroupInformation.loginUserFromKeytab(lprincipal, keytabpath);
I have used the following format for hive url.
jdbc:hive2://localhost:10000;AuthMech=1;KrbRealm=EXAMPLE.COM; KrbHostFQDN=hs2.example.com;KrbServiceName=hive
Sample code :
// Authenticating Kerberos principal System.out.println("Principal Authentication: "); final String user = "cloudera@CLOUDERA.COM"; final String keyPath = "cloudera.keytab"; UserGroupInformation.loginUserFromKeytab(user, keyPath); Connection connection = DriverManager.getConnection(url);Url is in the following format:
jdbc:hive2://localhost:10000;AuthMech=1;KrbRealm=EXAMPLE.COM; KrbHostFQDN=hs2.example.com;KrbServiceName=hive
I get the following exception, I would appreciate if some help is provided in identifying the cause of this issue:
com.cloudera.hive.support.exceptions.GeneralException: CONN_KERBEROS_AUTHENTICATION_ERROR_GET_TICKETCACHE javax.security.auth.login.LoginException: Unable to obtain Princpal Name for authentication at com.sun.security.auth.module.Krb5LoginModule.promptForName(Krb5LoginModule.java:800) at com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:671) at com.sun.security.auth.module.Krb5LoginModule.login(Krb5LoginModule.java:584) at sun.reflect.NativeMethodAccessorImpl.invFOr a differn distribution of cluster, after adding debug, I see the following exception :
DEBUG org.apache.hadoop.security.UserGroupInformation: hadoop login DEBUG org.apache.hadoop.security.UserGroupInformation: hadoop login commit DEBUG org.apache.hadoop.security.UserGroupInformation: using kerberos user:null DEBUG org.apache.hadoop.security.UserGroupInformation: using local user:UnixPrincipal: user66 DEBUG org.apache.hadoop.security.UserGroupInformation: UGI loginUser:user66 (auth:KERBEROS) DEBUG org.apache.hadoop.security.UserGroupInformation: PrivilegedAction as:user66 (auth:KERBEROS) from:org.apache.hadoop.hive.thrift.client.TUGIAssumingTransport.open(TUGIAssumingTransport.java:49) DEBUG org.apache.thrift.transport.TSaslTransport: opening transport org.apache.thrift.transport.TSaslClientTransport@1f20a0ab ERROR org.apache.thrift.transport.TSaslTransport: SASL negotiation failure javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level: Failed to find any Kerberos tgt)] at com.sun.security.sasl.gsskerb.GssKrb5Client.evaluateChallenge(GssKrb5Client.java:212) at org.apache.thrift.transport.TSaslClientTransport.handleSaslStartMessage(TSaslClientTransport.java:94) at org.apache.thrift.transport.TSaslTransport.open(TSaslTransport.java:253) at org.apache.thrift.transport.TSaslClientTransport.open(TSaslClientTransport.java:37) at org.apache.hadoop.hive.thrift.client.TUGIAssumingTransport$1.run(TUGIAssumingTransport.java:52) at org.apache.hadoop.hive.thrift.client.TUGIAssumingTransport$1.run(TUGIAssumingTransport.java:49) at java.security.AccessController.doPrivileged(Native Method) at javax.security.auth.Subject.doAs(Subject.java:415) at org.apache.hadoop.security.UserGroupInformation.doAs(UserGroupInformation.java:1548) at org.apache.hadoop.hive.thrift.client.TUGIAssumingTransport.open(TUGIAssumingTransport.java:49) at org.apache.hive.jdbc.HiveConnection.openTransport(HiveConnection.java:156) at org.apache.hive.jdbc.HiveConnection.<init>(HiveConnection.java:96) at org.apache.hive.jdbc.HiveDriver.connect(HiveDriver.java:104)
解决方案Beware, mortal: Kerberos is just black magic. It will suck your soul away. Seriously.
Now, there is very poorly documented way to activate the GSSAPI trace, that is your only hope of zooming on the actual issue (probably a cryptic syntax error in a config file that GSS silently discards by default)
-Djava.security.debug=gssloginconfig,configfile,configparser,logincontextThe original book of spells is there.
这篇关于使用keytab连接到安全kerberos身份验证集群中的配置单元的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
