I have a kerberized hadoop cluster. Installed knox in kubernetes container with its keytab. Configured knox topology with shiro provider and ldap authentication. I'm able to access webhdfs fine with ldap credentials but Hive is failing with HTTP 401 error.
Knox is configured with self-signed cert and hive is not configured with SSL.
topology.xml -- Configured with shiro provider and ldap info
<service>
<role>WEBHDFS</role>
<url>http://name1_hostname:50070/webhdfs</url>
<url>http://name12_hostname:50070/webhdfs</url>
</service>
<service>
<role>HIVE</role>
<url>http://<host_name>:10004/cliservice</url>
<param>
<name>replayBufferSize</name>
<value>8</value>
</param>
</service>
Configured hive-site.xml with below configs in HS2 host
hive.server2.thrift.http.port = 10004
hive.server2.thrift.http.path = cliservice
hive.server2.transport.mode = http
hive.server2.allow.user.substitution = true
Configured core-site.xml with below configs in Namenode hosts and HS2 host
hadoop.proxyuser.knox.groups = *
hadoop.proxyuser.knox.hosts = *
hadoop.proxyuser.hive.hosts = *
hadoop.proxyuser.hive.groups = *
Hive beeline string
beeline -u "jdbc:hive2://Knox-hostname:8443/;ssl=true;sslTrustStore=/tmp/gateway.jks;trustStorePassword=knoxpass;transportMode=http;httpPath=gateway/default/hive" -n <username> -p<password>
ERROR jdbc.HiveConnection: Error opening session
org.apache.thrift.transport.TTransportException: HTTP Response code: 401
at org.apache.thrift.transport.THttpClient.flushUsingHttpClient(THttpClient.java:262) ~[hive-exec-2.3.6.jar:2.3.6]
at org.apache.thrift.transport.THttpClient.flush(THttpClient.java:313) ~[hive-exec-2.3.6.jar:2.3.6]
In hiveserver2.log
2024-03-15T19:28:32,967 ERROR [HiveServer2-HttpHandler-Pool: Thread-363] thrift.ThriftHttpServlet: Failed to authenticate with hive/_HOST kerberos principal
2024-03-15T19:28:32,967 ERROR [HiveServer2-HttpHandler-Pool: Thread-363] thrift.ThriftHttpServlet: Error:
org.apache.hive.service.auth.HttpAuthenticationException: java.lang.reflect.UndeclaredThrowableException
at org.apache.hive.service.cli.thrift.ThriftHttpServlet.doKerberosAuth(ThriftHttpServlet.java:407) ~[hive-service-2.3.6.jar:2.3.6]
Caused by: org.apache.hive.service.auth.HttpAuthenticationException: Authorization header received from the client is empty.
at org.apache.hive.service.cli.thrift.ThriftHttpServlet.getAuthHeader(ThriftHttpServlet.java:548) ~[hive-service-2.3.6.jar:2.3.6]
at org.apache.hive.service.cli.thrift.ThriftHttpServlet.access$100(ThriftHttpServlet.java:74) ~[hive-service-2.3.6.jar:2.3.6]
Caused by: org.apache.hive.service.auth.HttpAuthenticationException: Kerberos authentication failed:
at org.apache.hive.service.cli.thrift.ThriftHttpServlet$HttpKerberosServerAction.run(ThriftHttpServlet.java:463) ~[hive-service-2.3.6.jar:2.3.6]
Caused by: org.ietf.jgss.GSSException: Failure unspecified at GSS-API level (Mechanism level: Checksum failed)
at sun.security.jgss.krb5.Krb5Context.acceptSecContext(Krb5Context.java:858) ~[?:1.8.0_352]
at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:342) ~[?:1.8.0_352]
Am I missing anything? Any help is appreciated and thanks in advance!
