I have a kerberized hadoop cluster. Installed knox in kubernetes container with its keytab. Configured knox topology with shiro provider and ldap authentication. I'm able to access webhdfs fine with ldap credentials but Hive is failing with HTTP 401 error. Knox is configured with self-signed cert and hive is not configured with SSL. topology.xml -- Configured with shiro provider and ldap info <service> <role>WEBHDFS</role> <url>http://name1_hostname:50070/webhdfs</url> <url>http://name12_hostname:50070/webhdfs</url> </service> <service> <role>HIVE</role> <url>http://<host_name>:10004/cliservice</url> <param> <name>replayBufferSize</name> <value>8</value> </param> </service> Configured hive-site.xml with below configs in HS2 host hive.server2.thrift.http.port = 10004 hive.server2.thrift.http.path = cliservice hive.server2.transport.mode = http hive.server2.allow.user.substitution = true Configured core-site.xml with below configs in Namenode hosts and HS2 host hadoop.proxyuser.knox.groups = * hadoop.proxyuser.knox.hosts = * hadoop.proxyuser.hive.hosts = * hadoop.proxyuser.hive.groups = * Hive beeline string beeline -u "jdbc:hive2://Knox-hostname:8443/;ssl=true;sslTrustStore=/tmp/gateway.jks;trustStorePassword=knoxpass;transportMode=http;httpPath=gateway/default/hive" -n <username> -p<password> ERROR jdbc.HiveConnection: Error opening session org.apache.thrift.transport.TTransportException: HTTP Response code: 401 at org.apache.thrift.transport.THttpClient.flushUsingHttpClient(THttpClient.java:262) ~[hive-exec-2.3.6.jar:2.3.6] at org.apache.thrift.transport.THttpClient.flush(THttpClient.java:313) ~[hive-exec-2.3.6.jar:2.3.6] In hiveserver2.log 2024-03-15T19:28:32,967 ERROR [HiveServer2-HttpHandler-Pool: Thread-363] thrift.ThriftHttpServlet: Failed to authenticate with hive/_HOST kerberos principal 2024-03-15T19:28:32,967 ERROR [HiveServer2-HttpHandler-Pool: Thread-363] thrift.ThriftHttpServlet: Error: org.apache.hive.service.auth.HttpAuthenticationException: java.lang.reflect.UndeclaredThrowableException at org.apache.hive.service.cli.thrift.ThriftHttpServlet.doKerberosAuth(ThriftHttpServlet.java:407) ~[hive-service-2.3.6.jar:2.3.6] Caused by: org.apache.hive.service.auth.HttpAuthenticationException: Authorization header received from the client is empty. at org.apache.hive.service.cli.thrift.ThriftHttpServlet.getAuthHeader(ThriftHttpServlet.java:548) ~[hive-service-2.3.6.jar:2.3.6] at org.apache.hive.service.cli.thrift.ThriftHttpServlet.access$100(ThriftHttpServlet.java:74) ~[hive-service-2.3.6.jar:2.3.6] Caused by: org.apache.hive.service.auth.HttpAuthenticationException: Kerberos authentication failed: at org.apache.hive.service.cli.thrift.ThriftHttpServlet$HttpKerberosServerAction.run(ThriftHttpServlet.java:463) ~[hive-service-2.3.6.jar:2.3.6] Caused by: org.ietf.jgss.GSSException: Failure unspecified at GSS-API level (Mechanism level: Checksum failed) at sun.security.jgss.krb5.Krb5Context.acceptSecContext(Krb5Context.java:858) ~[?:1.8.0_352] at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:342) ~[?:1.8.0_352] Am I missing anything? Any help is appreciated and thanks in advance!
... View more
