Support Questions
Find answers, ask questions, and share your expertise
Announcements
Alert: Welcome to the Unified Cloudera Community. Former HCC members be sure to read and learn how to activate your account here.

Error with Kereberos configuration in sandbox

Highlighted

Error with Kereberos configuration in sandbox

New Contributor

Trying to assist a client with the following Kerberos configuration error.

We have configured automatically Kerberos on Sandbox HDP 2.6.4as described in below how-to:

https://community.hortonworks.com/articles/29203/automated-kerberos-installation-and-configuration.h...

We created the Kerberos ticket using thehive.service.keytab(one of the keytabs automatically generated by HDP):

kinit –kt hive.service.keytabhive/sandbox-hdp.hortonworks.com@HWX.COM

In order to connect to Kerberos Hive in JDBC from Windows machine, we used the following code snippet:

System.setProperty("hadoop.home.dir","C:\\Users\\Emilio\\Desktop\\test");

try{

org.apache.hadoop.conf.Configurationconf=neworg.apache.hadoop.conf.Configuration();

conf.set("hadoop.security.authentication","Kerberos");

org.apache.hadoop.security.UserGroupInformation.setConfiguration(conf);

org.apache.hadoop.security.UserGroupInformation.loginUserFromKeytab("hive/sandbox-hdp.hortonworks.com@HWX.COM","C:/Users/Emilio/Desktop/keytabs/hive.service.keytab");

Class.forName("org.apache.hive.jdbc.HiveDriver");

Connection con = DriverManager.getConnection("jdbc:hive2://localhost:10000/foodmart;principal=hive/sandbox-hdp.hortonworks.com@HWX.COM");

con.close();

}catch(Exceptione) {

e.printStackTrace();

}

In this case we obtain the following error:

java.io.IOException: Login failure forhive/sandbox-hdp.hortonworks.com@HWX.COMfrom keytab C:/Users/Emilio/Desktop/keytabs/hive.service.keytab:javax.security.auth.login.LoginException: ICMP Port Unreachable

Then we tried to replace the path value specified into theloginUserFromKeytabmethod with the one of the server:

org.apache.hadoop.security.UserGroupInformation.loginUserFromKeytab("hive/sandbox-hdp.hortonworks.com@HWX.COM","/etc/security/keytabs/hive.service.keytab");

In this case we obtain the following error:

java.io.IOException:Login failure forhive/sandbox-hdp.hortonworks.com@HWX.COMfrom keytab /etc/security/keytabs/hive.service.keytab:javax.security.auth.login.LoginException: Unable to obtain password from user

We also tried to perform the same tests explained above using a new user. To create the new user we used thekadmintool with the command below:

add_principalhive-user/sandbox-hdp.hortonworks.com@HWX.COM

After the principal creation, we added encryption to the user and then we generated a keytab file:

ktutil:

add_entry -password -phive-user/sandbox-hdp.hortonworks.com@HWX.COM-k 1 -e aes256-cts

add_entry -password -phive-user/sandbox-hdp.hortonworks.com@HWX.COM-k 1 -e aes128-cts

add_entry -password -phive-user/sandbox-hdp.hortonworks.com@HWX.COM-k 1 -e des3-hmac-sha1

add_entry -password -phive-user/sandbox-hdp.hortonworks.com@HWX.COM-k 1 -e arcfour-hmac

add_entry -password -phive-user/sandbox-hdp.hortonworks.com@HWX.COM-k 1 -e des-hmac-sha1

add_entry -password -phive-user/sandbox-hdp.hortonworks.com@HWX.COM-k 1 -e des-cbc-md5

add_entry -password -phive-user/sandbox-hdp.hortonworks.com@HWX.COM-k 1 -e des-cbc-crc

wkt /etc/security/keytabs/hive-user.service.keytab

Finally we created the Kerberos ticket using the newly generated keytabhive-user.service.keytab:

kinit -kt hive-user.service.keytabhive-user/sandbox-hdp.hortonworks.com@HWX.COM

The same errors of the previous tests occur.

The last try we did was performed enabling Kerberos security manually on HDP, according to the official documentation available at the following link:

https://docs.hortonworks.com/HDPDocuments/HDP2/HDP-2.6.1/bk_security/content/configuring_amb_hdp_for...

Unfortunately, the above tests behave the same way in this case too.

1 REPLY 1

Re: Error with Kereberos configuration in sandbox

Contributor

Hi @dedwards,

Were you able to connect to Hive via SBX CLI?

Because if you are able to connect with Kerberos to Hive via CLI then Kerberos is potentially set-up correctly in SBX and the problem is on the Windows machine connection to the SBX.

Also, are you not missing the ZK information in the JDBC connection:

Connection con = DriverManager.getConnection("jdbc:hive2://localhost:10000/foodmart;principal=hive/sandbox-hdp.hortonworks.com@HWX.COM");

Check this Article:

https://community.hortonworks.com/articles/156873/hiveserver2-kerberos-authentication-jdbc-connectio...

Hope it helps!

Gonçalo

Don't have an account?
Coming from Hortonworks? Activate your account here