Support Questions

Find answers, ask questions, and share your expertise

Accessing Hive through Knox receiving HTTP 401 error

avatar
Contributor

I have a kerberized hadoop cluster. Installed knox in kubernetes container with its keytab. Configured knox topology with shiro provider and ldap authentication. I'm able to access webhdfs fine with ldap credentials but Hive is failing with HTTP 401 error.

Knox is configured with self-signed cert and hive is not configured with SSL.

topology.xml -- Configured with shiro provider and ldap info

<service>
<role>WEBHDFS</role>
<url>http://name1_hostname:50070/webhdfs</url>
<url>http://name12_hostname:50070/webhdfs</url>
</service>
<service>
<role>HIVE</role>
<url>http://<host_name>:10004/cliservice</url>
<param>
<name>replayBufferSize</name>
<value>8</value>
</param>
</service>

Configured hive-site.xml with below configs in HS2 host
hive.server2.thrift.http.port = 10004
hive.server2.thrift.http.path = cliservice
hive.server2.transport.mode = http
hive.server2.allow.user.substitution = true

Configured core-site.xml with below configs in Namenode hosts and HS2 host
hadoop.proxyuser.knox.groups = *
hadoop.proxyuser.knox.hosts = *
hadoop.proxyuser.hive.hosts = *
hadoop.proxyuser.hive.groups = *

Hive beeline string

beeline -u "jdbc:hive2://Knox-hostname:8443/;ssl=true;sslTrustStore=/tmp/gateway.jks;trustStorePassword=knoxpass;transportMode=http;httpPath=gateway/default/hive" -n <username> -p<password>

ERROR jdbc.HiveConnection: Error opening session
org.apache.thrift.transport.TTransportException: HTTP Response code: 401
at org.apache.thrift.transport.THttpClient.flushUsingHttpClient(THttpClient.java:262) ~[hive-exec-2.3.6.jar:2.3.6]
at org.apache.thrift.transport.THttpClient.flush(THttpClient.java:313) ~[hive-exec-2.3.6.jar:2.3.6]

In hiveserver2.log

2024-03-15T19:28:32,967 ERROR [HiveServer2-HttpHandler-Pool: Thread-363] thrift.ThriftHttpServlet: Failed to authenticate with hive/_HOST kerberos principal
2024-03-15T19:28:32,967 ERROR [HiveServer2-HttpHandler-Pool: Thread-363] thrift.ThriftHttpServlet: Error:
org.apache.hive.service.auth.HttpAuthenticationException: java.lang.reflect.UndeclaredThrowableException
at org.apache.hive.service.cli.thrift.ThriftHttpServlet.doKerberosAuth(ThriftHttpServlet.java:407) ~[hive-service-2.3.6.jar:2.3.6]

Caused by: org.apache.hive.service.auth.HttpAuthenticationException: Authorization header received from the client is empty.
at org.apache.hive.service.cli.thrift.ThriftHttpServlet.getAuthHeader(ThriftHttpServlet.java:548) ~[hive-service-2.3.6.jar:2.3.6]
at org.apache.hive.service.cli.thrift.ThriftHttpServlet.access$100(ThriftHttpServlet.java:74) ~[hive-service-2.3.6.jar:2.3.6]

Caused by: org.apache.hive.service.auth.HttpAuthenticationException: Kerberos authentication failed:
at org.apache.hive.service.cli.thrift.ThriftHttpServlet$HttpKerberosServerAction.run(ThriftHttpServlet.java:463) ~[hive-service-2.3.6.jar:2.3.6]

Caused by: org.ietf.jgss.GSSException: Failure unspecified at GSS-API level (Mechanism level: Checksum failed)
at sun.security.jgss.krb5.Krb5Context.acceptSecContext(Krb5Context.java:858) ~[?:1.8.0_352]
at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:342) ~[?:1.8.0_352]

Am I missing anything? Any help is appreciated and thanks in advance!

2 ACCEPTED SOLUTIONS

avatar
Master Collaborator

@Hadoop16  Is the hive HTTP principal regenerated? If not, Can you regenerate the HTTP principal for the hive service?

View solution in original post

avatar
Contributor

@Scharan Thanks! I figured out the issue, following properties were not configured in hive-site
hive.server2.authentication.spnego.keytab
hive.server2.authentication.spnego.principal

View solution in original post

6 REPLIES 6

avatar
Master Collaborator

Hi @Hadoop16  Make sure "HiveServer2 Transport mode" is set to HTTP in hive configs

Refer below doc for more info

https://docs.cloudera.com/cdw-runtime/1.5.1/securing-hive/topics/hive_secure_knox.html

avatar
Contributor

@Scharan hive.server2.transport.mode is already set to http.

avatar
Master Collaborator

@Hadoop16 Was it working before? Did anything change from Kerberos point of view? Try regenerating the hive keytab file and see if it helps.

avatar
Contributor

@smruti This is a new setup. I tried regenerating Hive keytab but still no luck.

avatar
Master Collaborator

@Hadoop16  Is the hive HTTP principal regenerated? If not, Can you regenerate the HTTP principal for the hive service?

avatar
Contributor

@Scharan Thanks! I figured out the issue, following properties were not configured in hive-site
hive.server2.authentication.spnego.keytab
hive.server2.authentication.spnego.principal