Reply
New Contributor
Posts: 2
Registered: ‎06-14-2018

Peer indicated failure: GSS initiate failed(feat.kerberos)

[ Edited ]

 hi! I'm trying to connect from Java to hive.  but I keep getting errors...T_T

This is an error message

java.sql.SQLException: Could not open client transport with JDBC Uri: jdbc:hive2://quickstart.cloudera:10000/default;principal=cloudera/127.0.0.1@CLOUDERA: Peer indicated failure: GSS initiate failed

 

This is my Java code

 

public class KerberosClouderaHiveJdbcExample {
// here is an example query based on one of the Hue Beeswax sample tables
private static final String SQL_STATEMENT = "show databases";
// set the impalad host
private static final String HIVE_HOST = "quickstart.cloudera";

private static final String PRINCIPAL = "cloudera/127.0.0.1@CLOUDERA";

// port 21050 is the default impalad JDBC port
private static final String HIVE_JDBC_PORT = "10000";
private static final String CONNECTION_URL = "jdbc:hive2://" + HIVE_HOST
+ ':' + HIVE_JDBC_PORT + "/default" + ";principal=" + PRINCIPAL;
private static final String JDBC_DRIVER_NAME = "org.apache.hive.jdbc.HiveDriver";
private static final String HIVE_USERNAME = "cloudera";
private static final String HIVE_PASSWORD = "";

public static void main(String[] args) {
System.setProperty("java.security.krb5.conf", "/etc/krb5.conf");
//System.setProperty("sun.security.krb5.realm", "/etc/krb5.ini");
System.setProperty("sun.security.krb5.debug", "true");
System.setProperty("javax.security.auth.useSubjectCredsOnly", "false");


System.out.println("\n=============================================");
System.out.println("Cloudera hive JDBC Example");
//System.out.println("Using Connection URL: " + CONNECTION_URL);
System.out.println("Running Query: " + SQL_STATEMENT);
Connection con = null;

Configuration conf = new Configuration();
conf.set("hadoop.security.authentication", "kerberos");
conf.set("hadoop.security.authorization", "true");
UserGroupInformation.setConfiguration(conf);

// /etc/security/keytab/hive.service.keytab is from local machine, This is the user which is executing the command
try {
UserGroupInformation.loginUserFromKeytab("cloudera/127.0.0.1@CLOUDERA", "/etc/security/cloudera.keytab");
Class.forName(JDBC_DRIVER_NAME);

//con = DriverManager.getConnection(CONNECTION_URL, HIVE_USERNAME, HIVE_PASSWORD);
con = DriverManager.getConnection("jdbc:hive2://quickstart.cloudera:10000/default;principal=cloudera/127.0.0.1@CLOUDERA");
Statement stmt = con.createStatement();

ResultSet rs = stmt.executeQuery(SQL_STATEMENT);
System.out.println("\n== Begin Query Results ======================");

// print the results to the console
while (rs.next()) {
// the example query returns one String column
System.out.println(rs.getString(1));
}
System.out.println("== End Query Results =======================\n\n");
} catch (SQLException e) {
e.printStackTrace();
} catch (Exception e) {
e.printStackTrace();
} finally {
try {
con.close();
} catch (Exception e) {
// swallow
}
}
}

}

 

and I will attach additional console messages

=============================================
Cloudera hive JDBC Example
Using Connection URL: jdbc:hive2://quickstart.cloudera:10000/default;principal=cloudera/127.0.0.1@CLOUDERA
Running Query: show databases
log4j:WARN No appenders could be found for logger (org.apache.hadoop.metrics2.lib.MutableMetricsFactory).
log4j:WARN Please initialize the log4j system properly.
log4j:WARN See http://logging.apache.org/log4j/1.2/faq.html#noconfig for more info.
Java config name: /etc/krb5.conf
Loaded from Java config
Java config name: /etc/krb5.conf
Loaded from Java config
>>> KdcAccessibility: reset
>>> KdcAccessibility: reset
>>> KeyTabInputStream, readName(): CLOUDERA
>>> KeyTabInputStream, readName(): cloudera
>>> KeyTabInputStream, readName(): 127.0.0.1
>>> KeyTab: load() entry length: 62; type: 23
Added key: 23version: 1
Ordering keys wrt default_tkt_enctypes list
default etypes for default_tkt_enctypes: 23.
Added key: 23version: 1
Ordering keys wrt default_tkt_enctypes list
default etypes for default_tkt_enctypes: 23.
default etypes for default_tkt_enctypes: 23.
>>> KrbAsReq creating message
>>> KrbKdcReq send: kdc=quickstart.cloudera TCP:88, timeout=3000, number of retries =3, #bytes=140
>>> KDCCommunication: kdc=quickstart.cloudera TCP:88, timeout=3000,Attempt =1, #bytes=140
>>>DEBUG: TCPClient reading 625 bytes
>>> KrbKdcReq send: #bytes read=625
>>> KdcAccessibility: remove quickstart.cloudera
Added key: 23version: 1
Ordering keys wrt default_tkt_enctypes list
default etypes for default_tkt_enctypes: 23.
>>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
>>> KrbAsRep cons in KrbAsReq.getReply cloudera/127.0.0.1
Added key: 23version: 1
Ordering keys wrt default_tkt_enctypes list
default etypes for default_tkt_enctypes: 23.
Found ticket for cloudera/127.0.0.1@CLOUDERA to go to krbtgt/CLOUDERA@CLOUDERA expiring on Fri Jun 15 17:54:22 KST 2018
Entered Krb5Context.initSecContext with state=STATE_NEW
Service ticket not found in the subject
>>> Credentials acquireServiceCreds: same realm
default etypes for default_tgs_enctypes: 23.
>>> CksumType: sun.security.krb5.internal.crypto.RsaMd5CksumType
>>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
>>> KrbKdcReq send: kdc=quickstart.cloudera TCP:88, timeout=3000, number of retries =3, #bytes=626
>>> KDCCommunication: kdc=quickstart.cloudera TCP:88, timeout=3000,Attempt =1, #bytes=626
>>>DEBUG: TCPClient reading 627 bytes
>>> KrbKdcReq send: #bytes read=627
>>> KdcAccessibility: remove quickstart.cloudera
>>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
>>> KrbApReq: APOptions are 00100000 00000000 00000000 00000000
>>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
Krb5Context setting mySeqNumber to: 519947708
Created InitSecContextToken:
0000: 01 00 6E 82 02 2F 30 82 02 2B A0 03 02 01 05 A1 ..n../0..+......
0010: 03 02 01 0E A2 07 03 05 00 20 00 00 00 A3 82 01 ......... ......
0020: 4D 61 82 01 49 30 82 01 45 A0 03 02 01 05 A1 0A Ma..I0..E.......
0030: 1B 08 43 4C 4F 55 44 45 52 41 A2 20 30 1E A0 03 ..CLOUDERA. 0...
0040: 02 01 00 A1 17 30 15 1B 08 63 6C 6F 75 64 65 72 .....0...clouder
0050: 61 1B 09 31 32 37 2E 30 2E 30 2E 31 A3 82 01 0E a..127.0.0.1....
0060: 30 82 01 0A A0 03 02 01 17 A1 03 02 01 01 A2 81 0...............
0070: FD 04 81 FA E2 AB 95 9D 34 D6 85 EE E1 56 3E 6C ........4....V>l
0080: 1E 03 9D 9E BA 7D AD 9B 29 04 F0 F1 8A 80 54 4A ........).....TJ
0090: 68 D0 AE A1 EC CE 8F 3C 90 0F C7 1D B6 EC 69 FD h......<......i.
00A0: C5 07 77 EE D3 5A FB E7 22 84 7D 46 F3 CE 48 45 ..w..Z.."..F..HE
00B0: AD 0E 9B 45 25 8B 5F 00 F0 B2 C7 6A D5 23 57 D6 ...E%._....j.#W.
00C0: 41 34 CE 61 A7 F3 C4 A7 D9 8F 10 49 E4 F0 A9 8C A4.a.......I....
00D0: 01 FD 47 8B D8 69 4A EE 32 52 0E D0 F9 F4 1C F2 ..G..iJ.2R......
00E0: A2 8C 41 6B 72 2D A3 72 D1 65 F2 C6 66 17 39 55 ..Akr-.r.e..f.9U
00F0: CC BA A2 78 C7 67 01 FD F1 7F 08 71 FF 8C 76 FB ...x.g.....q..v.
0100: 01 F0 E1 5C 43 FF DF 9F 67 AB FB 4B 3B 22 0A CB ...\C...g..K;"..
0110: 04 F7 C4 96 6B D1 59 29 E8 3F 9D 7D BA 98 08 55 ....k.Y).?.....U
0120: 5A D4 AB D4 1A 5A 0B C7 AF AF 56 DE 76 CD 55 0F Z....Z....V.v.U.
0130: 8C F9 CE D3 38 31 42 2E 97 3B 9F B2 B7 12 E7 C5 ....81B..;......
0140: B2 3B 81 4E 02 68 3D F5 65 85 E0 AE 0F 17 5A 72 .;.N.h=.e.....Zr
0150: 4B 0F 5A D8 C8 95 70 1C 5C 6A 9C 34 79 EE 8E 36 K.Z...p.\j.4y..6
0160: FA CF EF 33 A7 DC 22 9C 3E FE A5 93 C4 BB A4 81 ...3..".>.......
0170: C4 30 81 C1 A0 03 02 01 17 A2 81 B9 04 81 B6 6D .0.............m
0180: B1 72 45 75 0A 1B AB 37 05 7A 11 10 29 FC 72 DA .rEu...7.z..).r.
0190: 18 44 F6 D5 E7 81 15 43 69 57 47 70 6A 14 AC 70 .D.....CiWGpj..p
01A0: A3 CE 28 55 3B 00 48 E6 DC E6 F1 9A 19 FB 1B 5E ..(U;.H........^
01B0: 17 C2 4C 0E BE B6 F5 A3 33 C5 5F 28 19 8F DA EF ..L.....3._(....
01C0: D0 2F 1C 2B BA 92 0E DE FE C2 DA 13 55 AF 80 FF ./.+........U...
01D0: E0 92 F6 1C D7 D3 51 CA E4 3E 54 21 B3 B1 05 99 ......Q..>T!....
01E0: 66 5D CC D9 5B FF F9 B6 31 17 E6 98 A5 4E 3D 19 f]..[...1....N=.
01F0: 5B 6D 8A 8C 56 84 8A CA 3C B2 B7 4B 4D 79 60 CB [m..V...<..KMy`.
0200: FA BA 63 22 50 19 05 D9 D2 EB FA FD 8B 7F 2F 05 ..c"P........./.
0210: 77 01 32 60 3B 1F 36 3E C3 45 A9 01 B5 3C 93 6F w.2`;.6>.E...<.o
0220: AC CA DB ED 8E 9D E0 AA 2B 92 2E F0 B5 CB E6 A6 ........+.......
0230: 0E 98 E6 24 17 ...$.

java.sql.SQLException: Could not open client transport with JDBC Uri: jdbc:hive2://quickstart.cloudera:10000/default;principal=cloudera/127.0.0.1@CLOUDERA: Peer indicated failure: GSS initiate failed
at org.apache.hive.jdbc.HiveConnection.openTransport(HiveConnection.java:231)
at org.apache.hive.jdbc.HiveConnection.<init>(HiveConnection.java:176)
at org.apache.hive.jdbc.HiveDriver.connect(HiveDriver.java:105)
at java.sql.DriverManager.getConnection(DriverManager.java:571)
at java.sql.DriverManager.getConnection(DriverManager.java:233)
at com.kerberos.test.KerberosConn.KerberosClouderaHiveJdbcExample.main(KerberosClouderaHiveJdbcExample.java:53)
Caused by: org.apache.thrift.transport.TTransportException: Peer indicated failure: GSS initiate failed
at org.apache.thrift.transport.TSaslTransport.receiveSaslMessage(TSaslTransport.java:199)
at org.apache.thrift.transport.TSaslTransport.open(TSaslTransport.java:277)
at org.apache.thrift.transport.TSaslClientTransport.open(TSaslClientTransport.java:37)
at org.apache.hadoop.hive.thrift.client.TUGIAssumingTransport$1.run(TUGIAssumingTransport.java:52)
at org.apache.hadoop.hive.thrift.client.TUGIAssumingTransport$1.run(TUGIAssumingTransport.java:49)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.Subject.doAs(Subject.java:415)
at org.apache.hadoop.security.UserGroupInformation.doAs(UserGroupInformation.java:1657)
at org.apache.hadoop.hive.thrift.client.TUGIAssumingTransport.open(TUGIAssumingTransport.java:49)
at org.apache.hive.jdbc.HiveConnection.openTransport(HiveConnection.java:204)
... 5 more

 

I was wondering if the maturity dates and keytab dates I checked with klists are different

11.PNGThank you fro your reply! 

 

Highlighted
Cloudera Employee
Posts: 294
Registered: ‎03-23-2015

Re: Peer indicated failure: GSS initiate failed(feat.kerberos)

quickstart.cloudera is not matching with 127.0.0.1, what's the principal name used for Hive's keytab file? The host name need to match with the one defined in the principal.

Try to make principal as cloudera/quickstart.cloudera@ CLOUDERA instead of using IP address.
Announcements