Support Questions

Find answers, ask questions, and share your expertise
Celebrating as our community reaches 100,000 members! Thank you!

Accessing Hive JDBC/webHDFS through Knox in secured cluster (kerberos)

Expert Contributor


I am trying to access hive JDBC through Knox in a secured cluster (kerberos). When accessing them directly, it works fine.

I am able to connect with hiveserver directly in HTTP mode passing in kerbeos principal and creating kerberos ticket

beeline -u 'jdbc:hive2:/<hive_server>:10001/;transportMode=http;httpPath=cliservice;principal=hive/_HOST@DEV.COM'

and access WEBHDFS fine directly connecting to namenode:

curl -i --negotiate -u : 'http://<namenode>:50070/webhdfs/v1/?op=LISTSTATUS'

Going through Knox gateway (using sample LDAP for simplicity), I get:

curl -iku guest:guest-password -X GET 'https://<knox_gateway>:8443/gateway/default/webhdfs/v1/?op=LISTSTATUS'

<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"/>
<title>Error 401 Authentication required</title>
</head><body><h2>HTTP ERROR 401</h2>
<p>Problem accessing /webhdfs/v1/. 

Reason:<pre>    Authentication required</pre></p><hr/><i><small>Powered by Jetty://</small></i><br/>   

In gateway-audit i do see the request getting translated to the actual internal request but its returning 401.

audit|WEBHDFS||||access|uri|/gateway/default/webhdfs/v1/?op=LISTSTATUS|unavailable|Request method: GET


audit|WEBHDFS|guest|||authentication|uri|/gateway/default/webhdfs/v1/?op=LISTSTATUS|success|Groups: []


audit|WEBHDFS|guest|||dispatch|uri|http://<name_node>:50070/webhdfs/v1/?op=LISTSTATUS&doAs=guest|unavailable|Request method: GET

audit|WEBHDFS|guest|||dispatch|uri|http://<name_node>:50070/webhdfs/v1/?op=LISTSTATUS&doAs=guest|success|Response status: 401

audit|WEBHDFS|guest|||access|uri|/gateway/default/webhdfs/v1/?op=LISTSTATUS|success|Response status: 401

Similarly in Hive, I can connect to hiveserver directly but when I attempt through knox I get:

16/10/04 22:31:34 [main]: ERROR jdbc.HiveConnection: Error opening sessionorg.apache.thrift.transport.TTransportException: HTTP Response code: 401

In Hive server logs:

2016-10-04 22:31:34,063 INFO [HiveServer2-HttpHandler-Pool: Thread-299]: thrift.ThriftHttpServlet ( - Failed to authenticate with http/_HOST kerberos principal, trying with hive/_HOST kerberos principal

2016-10-04 22:31:34,063 ERROR [HiveServer2-HttpHandler-Pool: Thread-299]: thrift.ThriftHttpServlet ( - Failed to authenticate with hive/_HOST kerberos principal

2016-10-04 22:31:34,064 ERROR [HiveServer2-HttpHandler-Pool: Thread-299]: thrift.ThriftHttpServlet ( - Error:

org.apache.hive.service.auth.HttpAuthenticationException: java.lang.reflect.UndeclaredThrowableException

at org.apache.hive.service.cli.thrift.ThriftHttpServlet.doKerberosAuth(

at org.apache.hive.service.cli.thrift.ThriftHttpServlet.doPost(

at javax.servlet.http.HttpServlet.service(

at javax.servlet.http.HttpServlet.service(

at org.eclipse.jetty.servlet.ServletHolder.handle(

at org.eclipse.jetty.servlet.ServletHandler.doHandle(

at org.eclipse.jetty.server.session.SessionHandler.doHandle(

at org.eclipse.jetty.server.handler.ContextHandler.doHandle(

at org.eclipse.jetty.servlet.ServletHandler.doScope(

at org.eclipse.jetty.server.session.SessionHandler.doScope(

at org.eclipse.jetty.server.handler.ContextHandler.doScope(

at org.eclipse.jetty.server.handler.ScopedHandler.handle(

at org.eclipse.jetty.server.handler.HandlerWrapper.handle(

at org.eclipse.jetty.server.Server.handle(

at org.eclipse.jetty.server.AbstractHttpConnection.handleRequest(

at org.eclipse.jetty.server.AbstractHttpConnection$RequestHandler.content(

at org.eclipse.jetty.http.HttpParser.parseNext(

at org.eclipse.jetty.http.HttpParser.parseAvailable(

at org.eclipse.jetty.server.AsyncHttpConnection.handle(



at java.util.concurrent.ThreadPoolExecutor.runWorker(

at java.util.concurrent.ThreadPoolExecutor$


Caused by: java.lang.reflect.UndeclaredThrowableException


at org.apache.hive.service.cli.thrift.ThriftHttpServlet.doKerberosAuth(

... 23 more

Caused by: org.apache.hive.service.auth.HttpAuthenticationException: Authorization header received from the client is empty.

at org.apache.hive.service.cli.thrift.ThriftHttpServlet.getAuthHeader(

at org.apache.hive.service.cli.thrift.ThriftHttpServlet.access$100(

at org.apache.hive.service.cli.thrift.ThriftHttpServlet$

at org.apache.hive.service.cli.thrift.ThriftHttpServlet$

at Method)



... 24 more

FYI I have:


Thanks for any help!



This problem has been solved!

Want to get a detailed solution you have to login/registered on the community


Rising Star

@mliem Can you try doing kinit before running curl command?


This problem has been solved!

Want to get a detailed solution you have to login/registered on the community


Expert Contributor
@Gerg Git

No I did not, I ended up using a different LDAP server freeipa which has been proven to integrate with kerberos and knox nicely.

I was using openldap, cloudbreak and amazon linux servers on HDP 2.5. I suspect its something related to that or the way I had installed kerberos.

What are you using?

@mliem: We are using AD. This issue we are facing in our new HDP 2.5 build. We have this one working with no issues in our previous cluster which is HDP2.3.2 version(using same AD server). I suspect its something to do with the configs. I could find the same error reported in hbase ( search for

Caused by: org.apache.hadoop.hbase.thrift.HttpAuthenticationException: Authorization header received from the client is empty.

New Contributor

I am not using Kerberos. I am using username/password as method for auth. But I am getting the same exact error: 


[Cloudera][ThriftExtension] (8) Authentication/authorization error occurred. Error details: Bad status with no error message: Unauthorized/Forbidden: Status code : 401


On the gateway logs, it shows:

20/10/02 18:04:34 ||2bf99023-8397-4c4c-86b1-43f5a0ab5a39|audit|HIVE||||access|uri|/gateway/default/hive|unavailable|Request method: POST
20/10/02 18:04:35 ||2bf99023-8397-4c4c-86b1-43f5a0ab5a39|audit|HIVE||||access|uri|/gateway/default/hive|success|Response status: 401


Any ideas?



New Contributor

@mliem: how did you integrate kerberos and openldap? Could you give me some advice ?


Hi everyone, I am facing same issue connecting to Hive HTTP through Knox. On Knox gateway logs, I have:

access|uri|/gateway/default/hive/?op=LISTSTATUS|success|Response status: 401

@mliem: have you fixed your problem and if so, can you please tell me how ?

FYI, connecting directly to Hive HTTP with beeline and same crendentials works fine.



@mliem : Did you resolve this issue? if so can you please share what was done? I'm facing the same error when connecting to Hive via Knox.

Community Manager

@Hadoop16 Welcome to the Cloudera Community! As this is an older post, you would have a better chance of receiving a resolution by starting a new thread. This will also be an opportunity to provide details specific to your environment that could aid others in assisting you with a more accurate answer to your question. You can link this thread as a reference in your new post. Thanks.


Diana Torres,
Community Moderator

Was your question answered? Make sure to mark the answer as the accepted solution.
If you find a reply useful, say thanks by clicking on the thumbs up button.
Learn more about the Cloudera Community: