Support Questions
Find answers, ask questions, and share your expertise
Announcements
Alert: Welcome to the Unified Cloudera Community. Former HCC members be sure to read and learn how to activate your account here.

Hive via Knox "Authorization header received from the client is empty"

Hive via Knox "Authorization header received from the client is empty"

New Contributor

Hello everyone,

 

I can't seem to connect to Hive via Knox. We have Kerberos + SSO turned on.

 

I'm testing it with this curl:

 

curl -vvv -iv -k -negotiate -u 'user@password' 'https://server.net:8443/gateway/services/hive/?op=LISTSTATUS'

 

 

But get the response:

Authentication Error: Authorization header received from the client is empty.

 

 

I get the following in Knox log:

 

20/07/21 18:08:15 ||03d310ac-a86b-4e44-a271-f4100023f274|audit|10.216.87.18|HIVE||||access|uri|/gateway/services/hive/?op=LISTSTATUS|unavailable|Request method: GET
20/07/21 18:08:15 ||03d310ac-a86b-4e44-a271-f4100023f274|audit|10.216.87.18|HIVE|username@domain.net|||authentication|uri|/gateway/services/hive/?op=LISTSTATUS|success|
20/07/21 18:08:15 ||03d310ac-a86b-4e44-a271-f4100023f274|audit|10.216.87.18|HIVE|username@domain.net|||authentication|uri|/gateway/services/hive/?op=LISTSTATUS|success|Groups: []
20/07/21 18:08:15 ||03d310ac-a86b-4e44-a271-f4100023f274|audit|10.216.87.18|HIVE|username@domain.net|||dispatch|uri|https://server.net:10001/cliservice?doAs=username@domain.net|unavailable|Request method: GET
20/07/21 18:08:15 ||03d310ac-a86b-4e44-a271-f4100023f274|audit|10.216.87.18|HIVE|username@domain.net|||dispatch|uri|https://server.net:10001/cliservice?doAs=username@domain.net|success|Response status: 401
20/07/21 18:08:15 |||audit|10.216.87.18|HIVE|username@domain.net|||access|uri|/gateway/services/hive/?op=LISTSTATUS|success|Response status: 401

 

 

 

And get these info logs in the Hive log:

 

2020-07-21T18:08:15,745 INFO  [HiveServer2-HttpHandler-Pool: Thread-124]: thrift.ThriftHttpServlet (:()) - Could not validate cookie sent, will try to generate a new cookie
2020-07-21T18:08:15,746 INFO  [HiveServer2-HttpHandler-Pool: Thread-124]: thrift.ThriftHttpServlet (:()) - Failed to authenticate with http/_HOST kerberos principal, trying with hive/_HOST kerberos principal
2020-07-21T18:08:15,764 INFO  [HiveServer2-HttpHandler-Pool: Thread-126]: thrift.ThriftHttpServlet (:()) - Could not validate cookie sent, will try to generate a new cookie
2020-07-21T18:08:15,765 INFO  [HiveServer2-HttpHandler-Pool: Thread-126]: thrift.ThriftHttpServlet (:()) - Failed to authenticate with http/_HOST kerberos principal, trying with hive/_HOST kerberos principal

 

 

 

 

I have searched many articles to no avail. This one seems closest but it's not clear what the real issue was https://community.cloudera.com/t5/Support-Questions/Accessing-Hive-JDBC-webHDFS-through-Knox-in-secu....

 

Any help much appreciated!

 

Thanks a lot

 

 

 

Don't have an account?
Coming from Hortonworks? Activate your account here