Support Questions
Find answers, ask questions, and share your expertise
Announcements
Alert: Welcome to the Unified Cloudera Community. Former HCC members be sure to read and learn how to activate your account here.

How to connect hiveserver2 though beeline with OpenLdap auth on a kerberized cluster

How to connect hiveserver2 though beeline with OpenLdap auth on a kerberized cluster

Explorer

Hi :

 

  I have deployed CDH5.5.0 without Cloudera Manager. And I have integrated kerberos on my cluster. I deployed zk,hdfs,yarn,hive and sentry.

 

   I want to use Openldap to manage User/Groups , so I integrated ldap in core-site.xml .

   But when I use ldap to auth hive on my kerberized cluster ,  I can not connect to hiveserver2.

 

   Here is my configuration:

   
<property>
  <name>hive.server2.authentication</name>
  <value>LDAP</value>
</property>
<property>
  <name>hive.server2.authentication.ldap.url</name>
  <value>ldap://172.21.3.64</value>
</property>
<property>
  <name>hive.server2.authentication.ldap.baseDN</name>
  <value>ou=People,dc=e3base,dc=com</value>
</property>

 

And my beeline is : beeline -u "jdbc:hive2://xardc4:15002/default;" -n "uid=e3base,ou=People,dc=e3base,dc=com" -p e3base

 

The hiveserver2 log :

 

2018-05-04 14:59:35,073 ERROR [HiveServer2-Handler-Pool: Thread-23]: transport.TSaslTransport (TSaslTransport.java:open(315)) - SASL negotiation failure
javax.security.sasl.SaslException: PLAIN auth failed: Authentication failed: User search failed [Caused by javax.security.sasl.AuthenticationException: Authentication failed: User search failed]
        at org.apache.hadoop.security.SaslPlainServer.evaluateResponse(SaslPlainServer.java:108)
        at org.apache.thrift.transport.TSaslTransport$SaslParticipant.evaluateChallengeOrResponse(TSaslTransport.java:539)
        at org.apache.thrift.transport.TSaslTransport.open(TSaslTransport.java:283)
        at org.apache.thrift.transport.TSaslServerTransport.open(TSaslServerTransport.java:41)
        at org.apache.thrift.transport.TSaslServerTransport$Factory.getTransport(TSaslServerTransport.java:216)
        at org.apache.thrift.server.TThreadPoolServer$WorkerProcess.run(TThreadPoolServer.java:268)
        at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
        at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
        at java.lang.Thread.run(Thread.java:724)
Caused by: javax.security.sasl.AuthenticationException: Authentication failed: User search failed
        at org.apache.hive.service.auth.LdapAuthenticationProviderImpl.Authenticate(LdapAuthenticationProviderImpl.java:183)
        at org.apache.hive.service.auth.PlainSaslHelper$PlainServerCallbackHandler.handle(PlainSaslHelper.java:106)
        at org.apache.hadoop.security.SaslPlainServer.evaluateResponse(SaslPlainServer.java:103)
        ... 8 more

 

 

 

When I configure my cluster with no kerberos , only integrate oplenldap to auth hiveserver2, I can connect to hiveserver2 successfully.

 

I don't know why.

 

Can anyone help me ? Thanks!

1 REPLY 1

Re: How to connect hiveserver2 though beeline with OpenLdap auth on a kerberized cluster

Guru
After kerberize Hive, the connection string need become:

jdbc:hive2://xardc4:15002/default;principal=hive/<hiveserver2-domain>@REAL

Please give it a try.
Don't have an account?
Coming from Hortonworks? Activate your account here