Antoine
Reputation: 354
Beeline query with SSL (Hive missconfiguration ? )
I am triying on a cluster that have Kerberos to make a beeline query works :
beeline -u "jdbc:hive2://server_hive.server.lan:10000/default;principal=hive/[email protected];AuthMech=1;ssl=true;sslTrustStore=/opt/cloudera/security/jks/cm.truststore;trustStorePassword=XXXXX" -e "show databases"
But I get this error :
Connecting to jdbc:hive2://server_hive.server.lan:10000/default;principal=hive/[email protected];AuthMech=1;ssl=true;sslTrustStore=/opt/cloudera/security/jks/cm.truststore;trustStorePassword=XXXXX
Unknown HS2 problem when communicating with Thrift server.
Error: Could not open client transport with JDBC Uri: jdbc:hive2://server_hive.server.lan:10000/default;principal=hive/[email protected];AuthMech=1;ssl=true;sslTrustStore=/opt/cloudera/security/jks/cm.truststore;trustStorePassword=XXXXX: Peer indicated failure: GSS initiate failed (state=08S01,code=0)
No current connection
I really don't know what's wrong. it's working on an other cluster, but not on this one. The Hive log say that :
[HiveServer2-Handler-Pool: Thread-43]: SASL negotiation failure
javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: Failure unspecified at GSS-API level (Mechanism level: Checksum failed)]
at com.sun.security.sasl.gsskerb.GssKrb5Server.evaluateResponse(GssKrb5Server.java:199)
at org.apache.thrift.transport.TSaslTransport$SaslParticipant.evaluateChallengeOrResponse(TSaslTransport.java:539)
at org.apache.thrift.transport.TSaslTransport.open(TSaslTransport.java:283)
at org.apache.thrift.transport.TSaslServerTransport.open(TSaslServerTransport.java:41)
at org.apache.thrift.transport.TSaslServerTransport$Factory.getTransport(TSaslServerTransport.java:216)
at org.apache.hadoop.hive.thrift.HadoopThriftAuthBridge$Server$TUGIAssumingTransportFactory$1.run(HadoopThriftAuthBridge.java:793)
at org.apache.hadoop.hive.thrift.HadoopThriftAuthBridge$Server$TUGIAssumingTransportFactory$1.run(HadoopThriftAuthBridge.java:790)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.Subject.doAs(Subject.java:360)
at org.apache.hadoop.security.UserGroupInformation.doAs(UserGroupInformation.java:1776)
at org.apache.hadoop.hive.thrift.HadoopThriftAuthBridge$Server$TUGIAssumingTransportFactory.getTransport(HadoopThriftAuthBridge.java:790)
at org.apache.thrift.server.TThreadPoolServer$WorkerProcess.run(TThreadPoolServer.java:269)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
at java.lang.Thread.run(Thread.java:745)
Caused by: GSSException: Failure unspecified at GSS-API level (Mechanism level: Checksum failed)
at sun.security.jgss.krb5.Krb5Context.acceptSecContext(Krb5Context.java:856)
at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:342)
at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:285)
at com.sun.security.sasl.gsskerb.GssKrb5Server.evaluateResponse(GssKrb5Server.java:167)
... 14 more
Caused by: KrbException: Checksum failed
at sun.security.krb5.internal.crypto.ArcFourHmacEType.decrypt(ArcFourHmacEType.java:102)
at sun.security.krb5.internal.crypto.ArcFourHmacEType.decrypt(ArcFourHmacEType.java:94)
at sun.security.krb5.EncryptedData.decrypt(EncryptedData.java:175)
at sun.security.krb5.KrbApReq.authenticate(KrbApReq.java:281)
at sun.security.krb5.KrbApReq.<init>(KrbApReq.java:149)
at sun.security.jgss.krb5.InitSecContextToken.<init>(InitSecContextToken.java:108)
at sun.security.jgss.krb5.Krb5Context.acceptSecContext(Krb5Context.java:829)
... 17 more
Caused by: java.security.GeneralSecurityException: Checksum failed
at sun.security.krb5.internal.crypto.dk.ArcFourCrypto.decrypt(ArcFourCrypto.java:408)
at sun.security.krb5.internal.crypto.ArcFourHmac.decrypt(ArcFourHmac.java:91)
at sun.security.krb5.internal.crypto.ArcFourHmacEType.decrypt(ArcFourHmacEType.java:100)
... 23 more
May 18, 2:28:08.319 PM ERROR org.apache.thrift.server.TThreadPoolServer
[HiveServer2-Handler-Pool: Thread-43]: Error occurred during processing of message.
java.lang.RuntimeException: org.apache.thrift.transport.TTransportException: GSS initiate failed
at org.apache.thrift.transport.TSaslServerTransport$Factory.getTransport(TSaslServerTransport.java:219)
at org.apache.hadoop.hive.thrift.HadoopThriftAuthBridge$Server$TUGIAssumingTransportFactory$1.run(HadoopThriftAuthBridge.java:793)
at org.apache.hadoop.hive.thrift.HadoopThriftAuthBridge$Server$TUGIAssumingTransportFactory$1.run(HadoopThriftAuthBridge.java:790)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.Subject.doAs(Subject.java:360)
at org.apache.hadoop.security.UserGroupInformation.doAs(UserGroupInformation.java:1776)
at org.apache.hadoop.hive.thrift.HadoopThriftAuthBridge$Server$TUGIAssumingTransportFactory.getTransport(HadoopThriftAuthBridge.java:790)
at org.apache.thrift.server.TThreadPoolServer$WorkerProcess.run(TThreadPoolServer.java:269)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
at java.lang.Thread.run(Thread.java:745)
Caused by: org.apache.thrift.transport.TTransportException: GSS initiate failed
at org.apache.thrift.transport.TSaslTransport.sendAndThrowMessage(TSaslTransport.java:232)
at org.apache.thrift.transport.TSaslTransport.open(TSaslTransport.java:316)
at org.apache.thrift.transport.TSaslServerTransport.open(TSaslServerTransport.java:41)
at org.apache.thrift.transport.TSaslServerTransport$Factory.getTransport(TSaslServerTransport.java:216)
... 10 more
What could generate the checksum failed please ?
Upvotes: 3
Views: 6929
Answers (2)
PSR
Reputation: 7
can you please do as follow
- enter
beeline in bash
- enter
!connect jdbc:hive2://server_hive.server.lan:10000/;principal=hive/[email protected]
to see it is asking for username please
Upvotes: 0
Antoine
Reputation: 354
Ok, after some research, an hive load balancer was set. so when a load balancer is set, it listen only to the virtual IP and you can't no more ask directly to the Hive server.
So if you set the Virtual IP, you have to query the VIP, no other hosts.
Or you have to remove the VIP to be able to query directly the Hives servers.
Upvotes: 2
Related Questions
- Cannot connect to hive using beeline, user root cannot impersonate anonymous
- Unable to connect hive jdbc through beeline
- Connecting to Hive using Beeline
- Beeline cannot connect to HiveServe2 with NOSASL authentication mode ( old client )
- Cannot connect to beeline hive2
- Hive Server2,Beeline not able to understand
- query works in Hive 1.x but not in beeline
- how to query from Beeline without authentication
- Beeline not able to run the hivescript in the kerberized cluster
- Connecting to Hive via Beeline using Kerberos keytab