01-31-2018 02:54 PM
I have LDAP setup for Hive and Hue both are working but they are sending passwords as clear text. So I am working on getting SSL setup for HiveServer2 as it looks like someone prior to me setup ssl for hue already. (If there is another option out there besides SSL I am open to that too)
We are running CDH 5.12.x and I followed these directions to a "T" and I am getting the following error on the Hive editor in Hue. Now I am not sure if this is something I did wrong when generating the keystore or if there is some kind of conflict with Hue ssl.
Another question I have is how can I test connecting to hive via beeline/jdbc to verify it's one or the other?
02-01-2018 07:30 AM
I am a Hive engineer so I am not quite certain of the HUE side settings but like you said the first step should be to narrow down if it is a hive-side or a hue-side issue. Testing from Beeline makes sense to ensure that hive-side settings are good.
To beeline JDBC URL, you can add the TrustStore localtion and credentials for it to use SSL connection. Something like this
beeline -u "jdbc:hive2://<HS2HostFQN>:10000/default;ssl=true;sslTrustStore=/etc/cdep-ssl-conf/signer/truststore.jks;sslTrustPassword=<pwd>;principal=<user>"
Let me know what you find. Thanks
02-01-2018 09:13 AM
I tried connecting to beeline through JDBC but no luck but I do have one question, what is the principal flag? Is that for Kerberos if so we are not using Kerberos just LDAP.
I get this error:
Unknown HS2 problem when communicating with Thrift server.
Error: Could not open client transport with JDBC Uri: jdbc:hive2://hiveserverhost:10000/default: Invalid status 21 (state=08S01,code=0)
I am also seeing this error over and over in the hiveserver2 logs
[HiveServer2-Handler-Pool: Thread-41]: Error occurred during processing of message. java.lang.RuntimeException: org.apache.thrift.transport.TTransportException: javax.net.ssl.SSLHandshakeException: Remote host closed connection during handshake at org.apache.thrift.transport.TSaslServerTransport$Factory.getTransport(TSaslServerTransport.java:219) at org.apache.thrift.server.TThreadPoolServer$WorkerProcess.run(TThreadPoolServer.java:269) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) at java.lang.Thread.run(Thread.java:745) Caused by: org.apache.thrift.transport.TTransportException: javax.net.ssl.SSLHandshakeException: Remote host closed connection during handshake at org.apache.thrift.transport.TIOStreamTransport.read(TIOStreamTransport.java:129) at org.apache.thrift.transport.TTransport.readAll(TTransport.java:86) at org.apache.thrift.transport.TSaslTransport.receiveSaslMessage(TSaslTransport.java:178) at org.apache.thrift.transport.TSaslServerTransport.handleSaslStartMessage(TSaslServerTransport.java:125) at org.apache.thrift.transport.TSaslTransport.open(TSaslTransport.java:271) at org.apache.thrift.transport.TSaslServerTransport.open(TSaslServerTransport.java:41) at org.apache.thrift.transport.TSaslServerTransport$Factory.getTransport(TSaslServerTransport.java:216) ... 4 more Caused by: javax.net.ssl.SSLHandshakeException: Remote host closed connection during handshake at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:992) at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1375) at sun.security.ssl.SSLSocketImpl.readDataRecord(SSLSocketImpl.java:928) at sun.security.ssl.AppInputStream.read(AppInputStream.java:105) at java.io.BufferedInputStream.fill(BufferedInputStream.java:246) at java.io.BufferedInputStream.read1(BufferedInputStream.java:286) at java.io.BufferedInputStream.read(BufferedInputStream.java:345) at org.apache.thrift.transport.TIOStreamTransport.read(TIOStreamTransport.java:127) ... 10 more Caused by: java.io.EOFException: SSL peer shut down incorrectly at sun.security.ssl.InputRecord.read(InputRecord.java:505) at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:973) ... 17 more
02-01-2018 11:27 AM
the principal is the username that will be passed thru to HS2 for authentication (in your case, user to be authenticated against LDAP). This will be the same user that the jobs will run as in yarn/MR (if impersonation is turned on in Hive).
It is not the kerberos-related. It is equivalent to -n command option for beeline. Hope this helps.
02-01-2018 11:57 AM
Thanks @NaveenGangam for clearifying but still can't connect.
I am trying to go over this how to document and I have two questions:
In step 6 in the yellow box it says repeat this process on each host in the cluster: does this mean do steps 1-7 on every host in the cluster? or just the hive cluster? If we have 3 nodes would I need to create a unique keystore for each host or create one an copy it to each host?