Reply
Explorer
Posts: 12
Registered: ‎03-12-2018

How to connect hiveserver2 though beeline with OpenLdap auth on a kerberized cluster

[ Edited ]

Hi :

 

  I have deployed CDH5.5.0 without Cloudera Manager. And I have integrated kerberos on my cluster. I deployed zk,hdfs,yarn,hive and sentry.

 

   I want to use Openldap to manage User/Groups , so I integrated ldap in core-site.xml .

   But when I use ldap to auth hive on my kerberized cluster ,  I can not connect to hiveserver2.

 

   Here is my configuration:

   
<property>
  <name>hive.server2.authentication</name>
  <value>LDAP</value>
</property>
<property>
  <name>hive.server2.authentication.ldap.url</name>
  <value>ldap://172.21.3.64</value>
</property>
<property>
  <name>hive.server2.authentication.ldap.baseDN</name>
  <value>ou=People,dc=e3base,dc=com</value>
</property>

 

And my beeline is : beeline -u "jdbc:hive2://xardc4:15002/default;" -n "uid=e3base,ou=People,dc=e3base,dc=com" -p e3base

 

The hiveserver2 log :

 

2018-05-04 14:59:35,073 ERROR [HiveServer2-Handler-Pool: Thread-23]: transport.TSaslTransport (TSaslTransport.java:open(315)) - SASL negotiation failure
javax.security.sasl.SaslException: PLAIN auth failed: Authentication failed: User search failed [Caused by javax.security.sasl.AuthenticationException: Authentication failed: User search failed]
        at org.apache.hadoop.security.SaslPlainServer.evaluateResponse(SaslPlainServer.java:108)
        at org.apache.thrift.transport.TSaslTransport$SaslParticipant.evaluateChallengeOrResponse(TSaslTransport.java:539)
        at org.apache.thrift.transport.TSaslTransport.open(TSaslTransport.java:283)
        at org.apache.thrift.transport.TSaslServerTransport.open(TSaslServerTransport.java:41)
        at org.apache.thrift.transport.TSaslServerTransport$Factory.getTransport(TSaslServerTransport.java:216)
        at org.apache.thrift.server.TThreadPoolServer$WorkerProcess.run(TThreadPoolServer.java:268)
        at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
        at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
        at java.lang.Thread.run(Thread.java:724)
Caused by: javax.security.sasl.AuthenticationException: Authentication failed: User search failed
        at org.apache.hive.service.auth.LdapAuthenticationProviderImpl.Authenticate(LdapAuthenticationProviderImpl.java:183)
        at org.apache.hive.service.auth.PlainSaslHelper$PlainServerCallbackHandler.handle(PlainSaslHelper.java:106)
        at org.apache.hadoop.security.SaslPlainServer.evaluateResponse(SaslPlainServer.java:103)
        ... 8 more

 

 

 

When I configure my cluster with no kerberos , only integrate oplenldap to auth hiveserver2, I can connect to hiveserver2 successfully.

 

I don't know why.

 

Can anyone help me ? Thanks!

Highlighted
Cloudera Employee
Posts: 279
Registered: ‎03-23-2015

Re: How to connect hiveserver2 though beeline with OpenLdap auth on a kerberized cluster

After kerberize Hive, the connection string need become:

jdbc:hive2://xardc4:15002/default;principal=hive/<hiveserver2-domain>@REAL

Please give it a try.
Announcements