Created 06-04-2018 02:04 PM
Trying to assist a client with the following Kerberos configuration error.
We have configured automatically Kerberos on Sandbox HDP 2.6.4as described in below how-to:
We created the Kerberos ticket using thehive.service.keytab(one of the keytabs automatically generated by HDP):
kinit –kt hive.service.keytabhive/sandbox-hdp.hortonworks.com@HWX.COM
In order to connect to Kerberos Hive in JDBC from Windows machine, we used the following code snippet:
System.setProperty("hadoop.home.dir","C:\\Users\\Emilio\\Desktop\\test");
try{
org.apache.hadoop.conf.Configurationconf=neworg.apache.hadoop.conf.Configuration();
conf.set("hadoop.security.authentication","Kerberos");
org.apache.hadoop.security.UserGroupInformation.setConfiguration(conf);
org.apache.hadoop.security.UserGroupInformation.loginUserFromKeytab("hive/sandbox-hdp.hortonworks.com@HWX.COM","C:/Users/Emilio/Desktop/keytabs/hive.service.keytab");
Class.forName("org.apache.hive.jdbc.HiveDriver");
Connection con = DriverManager.getConnection("jdbc:hive2://localhost:10000/foodmart;principal=hive/sandbox-hdp.hortonworks.com@HWX.COM");
con.close();
}catch(Exceptione) {
e.printStackTrace();
}
In this case we obtain the following error:
java.io.IOException: Login failure forhive/sandbox-hdp.hortonworks.com@HWX.COMfrom keytab C:/Users/Emilio/Desktop/keytabs/hive.service.keytab:javax.security.auth.login.LoginException: ICMP Port Unreachable
Then we tried to replace the path value specified into theloginUserFromKeytabmethod with the one of the server:
org.apache.hadoop.security.UserGroupInformation.loginUserFromKeytab("hive/sandbox-hdp.hortonworks.com@HWX.COM","/etc/security/keytabs/hive.service.keytab");
In this case we obtain the following error:
java.io.IOException:Login failure forhive/sandbox-hdp.hortonworks.com@HWX.COMfrom keytab /etc/security/keytabs/hive.service.keytab:javax.security.auth.login.LoginException: Unable to obtain password from user
We also tried to perform the same tests explained above using a new user. To create the new user we used thekadmintool with the command below:
add_principalhive-user/sandbox-hdp.hortonworks.com@HWX.COM
After the principal creation, we added encryption to the user and then we generated a keytab file:
ktutil:
add_entry -password -phive-user/sandbox-hdp.hortonworks.com@HWX.COM-k 1 -e aes256-cts
add_entry -password -phive-user/sandbox-hdp.hortonworks.com@HWX.COM-k 1 -e aes128-cts
add_entry -password -phive-user/sandbox-hdp.hortonworks.com@HWX.COM-k 1 -e des3-hmac-sha1
add_entry -password -phive-user/sandbox-hdp.hortonworks.com@HWX.COM-k 1 -e arcfour-hmac
add_entry -password -phive-user/sandbox-hdp.hortonworks.com@HWX.COM-k 1 -e des-hmac-sha1
add_entry -password -phive-user/sandbox-hdp.hortonworks.com@HWX.COM-k 1 -e des-cbc-md5
add_entry -password -phive-user/sandbox-hdp.hortonworks.com@HWX.COM-k 1 -e des-cbc-crc
wkt /etc/security/keytabs/hive-user.service.keytab
Finally we created the Kerberos ticket using the newly generated keytabhive-user.service.keytab:
kinit -kt hive-user.service.keytabhive-user/sandbox-hdp.hortonworks.com@HWX.COM
The same errors of the previous tests occur.
The last try we did was performed enabling Kerberos security manually on HDP, according to the official documentation available at the following link:
Unfortunately, the above tests behave the same way in this case too.
Created 06-06-2018 02:38 PM
Hi @dedwards,
Were you able to connect to Hive via SBX CLI?
Because if you are able to connect with Kerberos to Hive via CLI then Kerberos is potentially set-up correctly in SBX and the problem is on the Windows machine connection to the SBX.
Also, are you not missing the ZK information in the JDBC connection:
Connection con = DriverManager.getConnection("jdbc:hive2://localhost:10000/foodmart;principal=hive/sandbox-hdp.hortonworks.com@HWX.COM");
Check this Article:
Hope it helps!
Gonçalo