无法通过安全kerberos连接到HIVE。我正在使用UserGroupInformation.loginUserFromKeytab() [英] Cannot connect to HIVE with Secured kerberos. I am using UserGroupInformation.loginUserFromKeytab()
问题描述
{
String driverName = "com.cloudera.hive.jdbc4.HS2Driver";
conf.set("hadoop.security.authentication", "kerberos");
info("Getting Connection");
UserGroupInformation.setConfiguration(conf);
info("Getting Connection"); `info("Getting Connection");
UserGroupInformation.setConfiguration(conf);
UserGroupInformation.loginUserFromKeytab("****@***.***.COM","etc/****.keytab");
Class.forName(driverName); info("Getting Connection");
Connection con = DriverManager.getConnection("jdbc:hive2://localhost:10000;AuthMech=1;KrbRealm=EXAMPLE.COM;KrbHostFQDN=hs2.example.com;KrbServiceName=hive");
info("Got Connection");
}
{
字符串driverName =com.cloudera.hive.jdbc4 .HS2Driver;
conf.set(hadoop.security.authentication,kerberos); info(获取连接); UserGroupInformation.setConfiguration(conf);
UserGroupInformation.loginUserFromKeytab(**** @ 。 .COM,etc / **** .keytab);
Class.forName(driverName); info(获取连接); Connection con =
DriverManager.getConnection(jdbc:hive2:// localhost:10000; AuthMech = 1; KrbRealm = EX AMPLE.COM; KrbHostFQDN = hs2.example.com; KrbServiceName = hive) ;信息(Got Connection);
}
{
String driverName = "com.cloudera.hive.jdbc4.HS2Driver";
conf.set("hadoop.security.authentication", "kerberos"); info("Getting Connection"); UserGroupInformation.setConfiguration(conf);
UserGroupInformation.loginUserFromKeytab("****@..COM","etc/****.keytab");
Class.forName(driverName); info("Getting Connection"); Connection con =
DriverManager.getConnection("jdbc:hive2://localhost:10000;AuthMech=1;KrbRealm=EXAMPLE.COM;KrbHostFQDN=hs2.example.com;KrbServiceName=hive"); info("Got Connection");
}
18:47:51,894错误[1]运行在未知行上的错误。脚本中发生意外的异常。脚本部分:运行。造成:LoginException发生。无法获取用于身份验证的Princpal名称
java.sql.SQLException:[Simba] HiveJDBCDriver错误初始化或创建了用于身份验证的传输:CONN_KERBEROS_AUTHENTICATION_ERROR_GET_TICKETCACHE。
at com.cloudera.hive.hivecommon.api.HiveServer2ClientFactory.createTransport(Unknown Source)
at com.cloudera.hive.hive.api.ExtendedHS2Factory.createClient(Unknown Source)
at com .cloudera.hive.hivecommon.core.HiveJDBCConnection.connect(未知来源)
at com.cloudera.hive.jdbc.common.BaseConnectionFactory.doConnect(未知来源)
来自com.cloudera.hive.jdbc .common.AbstractDriver.connect(未知源)
在java.sql.DriverManager.getConnection(DriverManager.java:582)
在java.sql.DriverManager.getConnection(DriverManager.java:207)
at script.run(script.java:85)
at oracle.oats.scripting.modules.basic.api.IteratingVUser.run(IteratingVUser.java:351)
at oracle.oats.scripting .modules.basic.api.internal.IteratingAgent.run(IteratingAgent.java:801)
引起:com.cloudera.hive.support.exceptions.GeneralException:[Simba] HiveJDBCDriver错误初始化或创建传输以进行身份验证: CONN_KERBEROS _AUTHENTICATION_ERROR_GET_TICKETCACHE。
... 10个
产生的原因:com.cloudera.hive.support.exceptions.GeneralException:CONN_KERBEROS_AUTHENTICATION_ERROR_GET_TICKETCACHE
... 10个
产生的原因:javax.security.auth中.login.LoginException:无法获得Princpal名认证
在com.sun.security.auth.module.Krb5LoginModule.promptForName(Krb5LoginModule.java:733)
。在com.sun.security.auth。 module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:629)
在com.sun.security.auth.module.Krb5LoginModule.login(Krb5LoginModule.java:542)
在sun.reflect.NativeMethodAccessorImpl.invoke0(本地方法)
在sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
处的java.lang sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
。在javax.security.auth.login.LoginContext.invoke(LoginContext.java:769)处$.b $ b在javax.security.auth.lo处
方法.invoke(Method.java:597) gin.LoginContext.access $ 000(LoginContext.java:186)
at javax.security.auth.login.LoginContext $ 5.run(LoginContext.java:706)
at java.security.AccessController.doPrivileged(本地方法)
at javax.security.auth.login.LoginContext.invokeCreatorPriv(LoginContext.java:703)
at javax.security.auth.login.LoginContext.login(LoginContext.java:575)
。在com.cloudera.hive.jdbc.kerberos.Kerberos.getSubjectViaTicketCache(来源不明)
在com.cloudera.hive.hivecommon.api.HiveServer2ClientFactory.createTransport(来源不明)
。在COM。 cloudera.hive.hive.api.ExtendedHS2Factory.createClient(未知源)
在com.cloudera.hive.hivecommon.core.HiveJDBCConnection.connect(未知源)
在com.cloudera.hive.jdbc。 common.BaseConnectionFactory.doConnect(Unknown Source)
at com.cloudera.hive.jdbc.common.AbstractDriver.connect(Unknown Source)
at java.sql.DriverManager.getConnection(DriverManager.java:582)
A t java.sql.DriverManager.getConnection(DriverManager.java:207)
at script.run(script.java:85)
at oracle.oats.scripting.modules.basic.api.IteratingVUser.run (IteratingVUser.java:351)
at oracle.oats.scripting.modules.basic.api.internal.IteratingAgent.run(IteratingAgent.java:801)
at java.lang.Thread.run(Thread .java:619)
18:47:51,894 ERROR [1] Error in section Run at line unknown. An unexpected exception occurred in the script. Script section: Run. Caused by: LoginException occured. Unable to obtain Princpal Name for authentication java.sql.SQLException: [Simba]HiveJDBCDriver Error initialized or created transport for authentication: CONN_KERBEROS_AUTHENTICATION_ERROR_GET_TICKETCACHE. at com.cloudera.hive.hivecommon.api.HiveServer2ClientFactory.createTransport(Unknown Source) at com.cloudera.hive.hive.api.ExtendedHS2Factory.createClient(Unknown Source) at com.cloudera.hive.hivecommon.core.HiveJDBCConnection.connect(Unknown Source) at com.cloudera.hive.jdbc.common.BaseConnectionFactory.doConnect(Unknown Source) at com.cloudera.hive.jdbc.common.AbstractDriver.connect(Unknown Source) at java.sql.DriverManager.getConnection(DriverManager.java:582) at java.sql.DriverManager.getConnection(DriverManager.java:207) at script.run(script.java:85) at oracle.oats.scripting.modules.basic.api.IteratingVUser.run(IteratingVUser.java:351) at oracle.oats.scripting.modules.basic.api.internal.IteratingAgent.run(IteratingAgent.java:801) Caused by: com.cloudera.hive.support.exceptions.GeneralException: [Simba]HiveJDBCDriver Error initialized or created transport for authentication: CONN_KERBEROS_AUTHENTICATION_ERROR_GET_TICKETCACHE. ... 10 more Caused by: com.cloudera.hive.support.exceptions.GeneralException: CONN_KERBEROS_AUTHENTICATION_ERROR_GET_TICKETCACHE ... 10 more Caused by: javax.security.auth.login.LoginException: Unable to obtain Princpal Name for authentication at com.sun.security.auth.module.Krb5LoginModule.promptForName(Krb5LoginModule.java:733) at com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:629) at com.sun.security.auth.module.Krb5LoginModule.login(Krb5LoginModule.java:542) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25) at java.lang.reflect.Method.invoke(Method.java:597) at javax.security.auth.login.LoginContext.invoke(LoginContext.java:769) at javax.security.auth.login.LoginContext.access$000(LoginContext.java:186) at javax.security.auth.login.LoginContext$5.run(LoginContext.java:706) at java.security.AccessController.doPrivileged(Native Method) at javax.security.auth.login.LoginContext.invokeCreatorPriv(LoginContext.java:703) at javax.security.auth.login.LoginContext.login(LoginContext.java:575) at com.cloudera.hive.jdbc.kerberos.Kerberos.getSubjectViaTicketCache(Unknown Source) at com.cloudera.hive.hivecommon.api.HiveServer2ClientFactory.createTransport(Unknown Source) at com.cloudera.hive.hive.api.ExtendedHS2Factory.createClient(Unknown Source) at com.cloudera.hive.hivecommon.core.HiveJDBCConnection.connect(Unknown Source) at com.cloudera.hive.jdbc.common.BaseConnectionFactory.doConnect(Unknown Source) at com.cloudera.hive.jdbc.common.AbstractDriver.connect(Unknown Source) at java.sql.DriverManager.getConnection(DriverManager.java:582) at java.sql.DriverManager.getConnection(DriverManager.java:207) at script.run(script.java:85) at oracle.oats.scripting.modules.basic.api.IteratingVUser.run(IteratingVUser.java:351) at oracle.oats.scripting.modules.basic.api.internal.IteratingAgent.run(IteratingAgent.java:801) at java.lang.Thread.run(Thread.java:619)
推荐答案
Hive JDBC驱动程序不使用Hadoop Auth库,因为它们应该能够从集群外部的外部连接,而对Hadoop库的依赖性最小。
因此,实际上,您的UGI设置将被忽略。
Hive JDBC drivers don't use the Hadoop Auth libraries, because they are supposed to be able to connect from outside the cluster, with minimal dependencies on Hadoop libs.
So, in practise, your UGI settings are ignored.
但Hive JDBC驱动程序使用Thrift客户端库,它支持原始JAAS配置用于Kerberos身份验证。
But Hive JDBC drivers use the Thrift client libraries, which support raw JAAS configuration for Kerberos auth.
系统道具的示例使用命令行:
Sample use of system props on command-line:
java -Djava.security.krb5.conf=/etc/krb5.conf \
-Djava.security.auth.login.config=./my_jaas.conf \
*****
使用my_jaas.conf获取私人Kerberos票证(不是使用密钥表文件中提供的密码进行读取:
Sample "my_jaas.conf" to get a private Kerberos ticket (not read from cache, not written to cache) with a password provided in a keytab file:
com.sun.security.jgss.krb5.initiate {
com.sun.security.auth.module.Krb5LoginModule
required
useTicketCache=false
doNotPrompt=true
useKeyTab=true
keyTab="file:/some/path/to/my_login.keytab"
principal="my_login@MY.REALM"
debug=true;
};
请注意上面的语法适用于Sun / Oracle JDK和OpenJDK,但不支持使用不同语法的IBM JDK ......它不能与DataDirect连接器(Oracle,IBM,Microstrategy等附带的)一起使用,这些连接器需要conf中的特定主题。
Note that the syntax above works with Sun/Oracle JDK and with OpenJDK, but not with IBM JDK which uses a different syntax...
It will not work either with the DataDirect connector (shipped with Oracle, IBM, Microstrategy etc.) which expects a specific "subject" in the conf.
就是这样。当检测到URL请求Kerberos连接时,JDBC驱动程序将自动调用JAAS,并且JAAS将处理脏东西。
And that's it. The JDBC driver will automatically invoke JAAS when it detects that the URL requests a Kerberos connection, and JAAS will handle the dirty work.
PS:调试安全配置问题是一件麻烦事,但你有两个属性来启用调试跟踪:
PS: debugging security configuration issues is a hassle, but you have a couple of properties to enable the debug traces:
-Dsun.security.krb5.debug=true
-Djava.security.debug=gssloginconfig,configfile,configparser,logincontext
这篇关于无法通过安全kerberos连接到HIVE。我正在使用UserGroupInformation.loginUserFromKeytab()的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
