Unable to configure hive to use ldap auth

florianc — Wed, 24 Jun 2020 13:24:24 GMT

Environment

HDP-3.1.0.0

Hive

3.0.0.3.1

Context

I am trying to configure hive to use LDAP (AD). But hiveserver2 throws errors when restarted. Similar errors are visible when connecting to beeline.

Configuration

hive-site.xml (truncated)

<configuration xmlns:xi="http://www.w3.org/2001/XInclude"> <property> <name>hive.server2.enable.doAs</name> <value>false</value> </property> <property> <name>hive.server2.authentication</name> <value>LDAP</value> </property> <property> <name>hive.server2.authentication.ldap.baseDN</name> <value>DC=MYDC,DC=MYDC</value> </property> <property> <name>hive.server2.authentication.ldap.Domain</name> <value>DOMAIN</value> </property> <property> <name>hive.server2.authentication.ldap.url</name> <value>ldap:node:port</value> </property> </configuration>

Errors

In hiveserver2.log

2020-06-24T07:04:49,054 ERROR [HiveServer2-Handler-Pool: Thread-60]: transport.TSaslTransport (:()) - SASL negotiation failure javax.security.sasl.SaslException: Error validating the login
        at org.apache.hive.service.auth.PlainSaslServer.evaluateResponse(PlainSaslServer.java:110) ~[hive-service-3.1.0.3.1.0.0-78.jar:3.1.0.3.1.0.0-78]
        at org.apache.thrift.transport.TSaslTransport$SaslParticipant.evaluateChallengeOrResponse(TSaslTransport.java:539) ~[hive-exec-3.1.0.3.1.0.0-78.jar:3.1.0.3.1.0.0-78]
        at org.apache.thrift.transport.TSaslTransport.open(TSaslTransport.java:283) ~[hive-exec-3.1.0.3.1.0.0-78.jar:3.1.0.3.1.0.0-78]
        at org.apache.thrift.transport.TSaslServerTransport.open(TSaslServerTransport.java:41) ~[hive-exec-3.1.0.3.1.0.0-78.jar:3.1.0.3.1.0.0-78]
        at org.apache.thrift.transport.TSaslServerTransport$Factory.getTransport(TSaslServerTransport.java:216) ~[hive-exec-3.1.0.3.1.0.0-78.jar:3.1.0.3.1.0.0-78]
        at org.apache.thrift.server.TThreadPoolServer$WorkerProcess.run(TThreadPoolServer.java:269) ~[hive-exec-3.1.0.3.1.0.0-78.jar:3.1.0.3.1.0.0-78]
        at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) ~[?:1.8.0_112]
        at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) ~[?:1.8.0_112]
        at java.lang.Thread.run(Thread.java:745) [?:1.8.0_112] Caused by: javax.security.sasl.AuthenticationException: Error validating LDAP user
        at org.apache.hive.service.auth.ldap.LdapSearchFactory.getInstance(LdapSearchFactory.java:48) ~[hive-service-3.1.0.3.1.0.0-78.jar:3.1.0.3.1.0.0-78]
        at org.apache.hive.service.auth.LdapAuthenticationProviderImpl.createDirSearch(LdapAuthenticationProviderImpl.java:92) ~[hive-service-3.1.0.3.1.0.0-78.jar:3.1.0.3.1.0.0-78]
        at org.apache.hive.service.auth.LdapAuthenticationProviderImpl.Authenticate(LdapAuthenticationProviderImpl.java:72) ~[hive-service-3.1.0.3.1.0.0-78.jar:3.1.0.3.1.0.0-78]
        at org.apache.hive.service.auth.PlainSaslHelper$PlainServerCallbackHandler.handle(PlainSaslHelper.java:107) ~[hive-service-3.1.0.3.1.0.0-78.jar:3.1.0.3.1.0.0-78]
        at org.apache.hive.service.auth.PlainSaslServer.evaluateResponse(PlainSaslServer.java:103) ~[hive-service-3.1.0.3.1.0.0-78.jar:3.1.0.3.1.0.0-78]
        ... 8 more Caused by: javax.naming.InvalidNameException: Invalid name: node:port
        at javax.naming.ldap.Rfc2253Parser.doParse(Rfc2253Parser.java:111) ~[?:1.8.0_112]
        at javax.naming.ldap.Rfc2253Parser.parseDn(Rfc2253Parser.java:70) ~[?:1.8.0_112]
        at javax.naming.ldap.LdapName.parse(LdapName.java:785) ~[?:1.8.0_112]
        at javax.naming.ldap.LdapName.<init>(LdapName.java:123) ~[?:1.8.0_112]
        at com.sun.jndi.ldap.ServiceLocator.mapDnToDomainName(ServiceLocator.java:72) ~[?:1.8.0_112]
        at com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:175) ~[?:1.8.0_112]
        at com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(LdapCtxFactory.java:210) ~[?:1.8.0_112]
        at com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(LdapCtxFactory.java:153) ~[?:1.8.0_112]
        at com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactory.java:83) ~[?:1.8.0_112]
        at javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:684) ~[?:1.8.0_112]
        at javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:313) ~[?:1.8.0_112]
        at javax.naming.InitialContext.init(InitialContext.java:244) ~[?:1.8.0_112]
        at javax.naming.InitialContext.<init>(InitialContext.java:216) ~[?:1.8.0_112]
        at javax.naming.directory.InitialDirContext.<init>(InitialDirContext.java:101) ~[?:1.8.0_112]
        at org.apache.hive.service.auth.ldap.LdapSearchFactory.createDirContext(LdapSearchFactory.java:62) ~[hive-service-3.1.0.3.1.0.0-78.jar:3.1.0.3.1.0.0-78]
        at org.apache.hive.service.auth.ldap.LdapSearchFactory.getInstance(LdapSearchFactory.java:44) ~[hive-service-3.1.0.3.1.0.0-78.jar:3.1.0.3.1.0.0-78]
        at org.apache.hive.service.auth.LdapAuthenticationProviderImpl.createDirSearch(LdapAuthenticationProviderImpl.java:92) ~[hive-service-3.1.0.3.1.0.0-78.jar:3.1.0.3.1.0.0-78]
        at org.apache.hive.service.auth.LdapAuthenticationProviderImpl.Authenticate(LdapAuthenticationProviderImpl.java:72) ~[hive-service-3.1.0.3.1.0.0-78.jar:3.1.0.3.1.0.0-78]
        at org.apache.hive.service.auth.PlainSaslHelper$PlainServerCallbackHandler.handle(PlainSaslHelper.java:107) ~[hive-service-3.1.0.3.1.0.0-78.jar:3.1.0.3.1.0.0-78]
        at org.apache.hive.service.auth.PlainSaslServer.evaluateResponse(PlainSaslServer.java:103) ~[hive-service-3.1.0.3.1.0.0-78.jar:3.1.0.3.1.0.0-78]
        ... 8 more 2020-06-24T07:04:49,063 ERROR [HiveServer2-Handler-Pool: Thread-60]: server.TThreadPoolServer (:())
- Error occurred during processing of message. java.lang.RuntimeException: org.apache.thrift.transport.TTransportException: Error validating the login
        at org.apache.thrift.transport.TSaslServerTransport$Factory.getTransport(TSaslServerTransport.java:219) ~[hive-exec-3.1.0.3.1.0.0-78.jar:3.1.0.3.1.0.0-78]
        at org.apache.thrift.server.TThreadPoolServer$WorkerProcess.run(TThreadPoolServer.java:269) ~[hive-exec-3.1.0.3.1.0.0-78.jar:3.1.0.3.1.0.0-78]
        at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) ~[?:1.8.0_112]
        at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) ~[?:1.8.0_112]
        at java.lang.Thread.run(Thread.java:745) [?:1.8.0_112] Caused by: org.apache.thrift.transport.TTransportException: Error validating the login
        at org.apache.thrift.transport.TSaslTransport.sendAndThrowMessage(TSaslTransport.java:232) ~[hive-exec-3.1.0.3.1.0.0-78.jar:3.1.0.3.1.0.0-78]
        at org.apache.thrift.transport.TSaslTransport.open(TSaslTransport.java:316) ~[hive-exec-3.1.0.3.1.0.0-78.jar:3.1.0.3.1.0.0-78]
        at org.apache.thrift.transport.TSaslServerTransport.open(TSaslServerTransport.java:41) ~[hive-exec-3.1.0.3.1.0.0-78.jar:3.1.0.3.1.0.0-78]
        at org.apache.thrift.transport.TSaslServerTransport$Factory.getTransport(TSaslServerTransport.java:216) ~[hive-exec-3.1.0.3.1.0.0-78.jar:3.1.0.3.1.0.0-78]

When running the beeline command

SLF4J: Class path contains multiple SLF4J bindings. 

SLF4J: Found binding in [jar:file:/usr/hdp/3.1.0.0-78/hive/lib/log4j-slf4j-impl-2.10.0.jar!/org/slf4j/impl/StaticLoggerBinder.class] 

SLF4J: Found binding in [jar:file:/usr/hdp/3.1.0.0-78/hadoop/lib/slf4j-log4j12-1.7.25.jar!/org/slf4j/impl/StaticLoggerBinder.class] 

SLF4J: See http://www.slf4j.org/codes.html#multiple_bindings for an explanation. 

SLF4J: Actual binding is of type [org.apache.logging.slf4j.Log4jLoggerFactory] 

Connecting to jdbc:hive2://sgdcdlk25.xxx.loc:2181,sgdcdlk26.xxx.loc:2181,sgdcdlk24.xxx.loc:2181/default;serviceDiscoveryMode=zooKeeper;zooKeeperNamespace=hiveserver2 

Enter username for jdbc:hive2://sgdcdlk25.x.loc:2181,sgdcdlk26.xxx.loc:2181,sgdcdlk24.xxx.loc:2181/default: castelainf 

Enter password for jdbc:hive2://sgdcdlk25.xxx.loc:2181,sgdcdlk26.xxx.loc:2181,sgdcdlk24.xxx.loc:2181/default: ****************** 

20/06/24 08:08:10 [main]: WARN jdbc.HiveConnection: Failed to connect to sgdcdlk26.xxx.loc:10000 

20/06/24 08:08:10 [main]: ERROR jdbc.Utils: Unable to read HiveServer2 configs from ZooKeeper 

Unknown HS2 problem when communicating with Thrift server. 

Error: Could not open client transport for any of the Server URI's in ZooKeeper: Peer indicated failure: Error validating the login (state=08S01,code=0) 

Beeline version 3.1.0.3.1.0.0-78 by Apache Hive 

beeline>

Re: Unable to configure hive to use ldap auth

florianc — Tue, 07 Jul 2020 07:42:00 GMT

The error was on LDAP url.

I put ldap://host:port

But it should be : ldaps://host

question Unable to configure hive to use ldap auth in Support Questions

Unable to configure hive to use ldap auth

Re: Unable to configure hive to use ldap auth