Cloudera Community

Support Questions

Find answers, ask questions, and share your expertise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Advanced Search

JDBC client to Hive - No data or no sasl data in the stream Exception

Labels:
avatar
author-rank anar
Explorer

Created ‎06-01-2016 06:43 AM

Hi Everybody,

We have a Kerberised cluster and I'm trying to run a Java action in Oozie where I make a JDBC connection to Hive. This JDBC connections works fine on the Sandbox without Kerberos.

The connection string is as simple as the following, where I'm providing username and password in it:

Connection con = DriverManager.getConnection("jdbc:hive2://W12345:10000/control;principal=hive/W12345.companynet.net@COMPANYNET.NET","user123","passw123");

The Oozie action completes succesfully, and the Java log does not present any error:

1742 [main] INFO org.apache.hive.jdbc.Utils  - Supplied authorities: W12345:10000
1742 [main] INFO org.apache.hive.jdbc.Utils  - Resolved authority: W12345:10000
1766 [main] INFO org.apache.hive.jdbc.HiveConnection  - Will try to open client transport with JDBC Uri: jdbc:hive2://W12345:10000/control;principal=hive/W12345.companynet.net@COMPANYNET.NET
<<< Invocation of Main class completed <<<
Oozie Launcher ends
1785 [main] INFO org.apache.hadoop.mapred.Task  - Task:attempt_1464245290012_0129_m_000000_0 is done. And is in the process of committing
1847 [main] INFO org.apache.hadoop.mapred.Task  - Task attempt_1464245290012_0129_m_000000_0 is allowed to commit now
1854 [main] INFO org.apache.hadoop.mapreduce.lib.output.FileOutputCommitter  - Saved output of task 'attempt_1464245290012_0129_m_000000_0' to hdfs://danskehadoop/user/user123/oozie-oozi/0000013-160527101253015-oozie-oozi-W/JavaAction--java/output/_temporary/1/task_1464245290012_0129_m_000000
1909 [main] INFO org.apache.hadoop.mapred.Task  - Task 'attempt_1464245290012_0129_m_000000_0' done.

But the Java main does not actually complete the execution as the JDBC connection fails with an exception that I can see only in the Hive log:

	ERROR [HiveServer2-Handler-Pool: Thread-78363]: server.TThreadPoolServer (TThreadPoolServer.java:run(296)) - Error occurred during processing of message.
java.lang.RuntimeException: org.apache.thrift.transport.TSaslTransportException: No data or no sasl data in the stream
  at org.apache.thrift.transport.TSaslServerTransport$Factory.getTransport(TSaslServerTransport.java:219)
  at org.apache.hadoop.hive.thrift.HadoopThriftAuthBridge$Server$TUGIAssumingTransportFactory$1.run(HadoopThriftAuthBridge.java:739)
  at org.apache.hadoop.hive.thrift.HadoopThriftAuthBridge$Server$TUGIAssumingTransportFactory$1.run(HadoopThriftAuthBridge.java:736)
  at java.security.AccessController.doPrivileged(Native Method)
  at javax.security.auth.Subject.doAs(Subject.java:360)
  at org.apache.hadoop.security.UserGroupInformation.doAs(UserGroupInformation.java:1637)
  at org.apache.hadoop.hive.thrift.HadoopThriftAuthBridge$Server$TUGIAssumingTransportFactory.getTransport(HadoopThriftAuthBridge.java:736)
  at org.apache.thrift.server.TThreadPoolServer$WorkerProcess.run(TThreadPoolServer.java:268)
  at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
  at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
  at java.lang.Thread.run(Thread.java:745)
Caused by: org.apache.thrift.transport.TSaslTransportException: No data or no sasl data in the stream
  at org.apache.thrift.transport.TSaslTransport.open(TSaslTransport.java:328)
  at org.apache.thrift.transport.TSaslServerTransport.open(TSaslServerTransport.java:41)
  at org.apache.thrift.transport.TSaslServerTransport$Factory.getTransport(TSaslServerTransport.java:216)
  ... 10 more

Thanks in advance for the help!

11,631 Views
0 Kudos
5 REPLIES 5

avatar
author-rank bleonhardi
Master Guru

Created ‎06-01-2016 09:41 AM

You can try to add the Hive2 credential to your java action but I am afraid that it is not supported for a generic Java action ( still worth a try),

https://oozie.apache.org/docs/4.2.0/DG_ActionAuthentication.html

if you need to get it yourself you would have to programatically read the keytab and get the ticket yourself:

https://www.ibm.com/support/knowledgecenter/SSPT3X_3.0.0/com.ibm.swg.im.infosphere.biginsights.admin...

And finally why don't you use a more normal authentication mechanism for hive like PAM/LDAP ( ceterum censeo cartaginem delendam esse )

8,051 Views
0 Kudos

avatar
author-rank anar
Explorer

Created ‎06-02-2016 10:29 AM

Hi Benjamin, Thank you for your reply.

Option 1 - did not work, as expected 🙂

Option 2 - In the link, at step b2, there's this command:

UserGroupInformation.loginUserFromKeytab("example_user@IBM.COM", "/path/to/example_user.keytab");

Does this mean that my user (later on it will be a system user) needs to have a keytab created on the linux file system and distributed to all the nodes? Moreover, it might not be a great option, but isn't this authentication possible using only username/password ?

Option 3 - I'm using the current mechanism as it is the only one I found some examples on the net. I checked shortly on PAM/LDAP, I'm not sure yet if that will require some changes from the Hadoop cluster side. If not, I'll be happy to try it

8,051 Views
0 Kudos

avatar
author-rank bleonhardi
Master Guru

Created ‎06-02-2016 07:43 PM

"Does this mean that my user (later on it will be a system user) needs to have a keytab created on the linux file system and distributed to all the nodes?"

You would put the keytab in HDFS with access rights for only the user and use the oozie files tag to load it to your temp execution directory,

https://oozie.apache.org/docs/3.2.0-incubating/WorkflowFunctionalSpec.html#a3.2.7_Java_Action

"Moreover, it might not be a great option, but isn't this authentication possible using only username/password ?"

To do this you need PAM or LDAP authentication, thats why I mentioned it :-). You can either hardcode it or do the same thing we discussed above with a password file in hdfs. For this you can set access rights.

"Option 3 - I'm using the current mechanism as it is the only one I found some examples on the net. I checked shortly on PAM/LDAP, I'm not sure yet if that will require some changes from the Hadoop cluster side. If not, I'll be happy to try it"

https://community.hortonworks.com/articles/591/using-hive-with-pam-authentication.html

🙂

8,051 Views
0 Kudos

avatar
author-rank tsaito
Expert Contributor

Created ‎06-02-2016 05:13 AM

Hi Antonio Arfe

Can you connect to HiveServer2 via beeline with your connection string?

If you can, the error may suggest that an yarn app is not starting for some reason. You can verify that by visiting resource manager UI.

8,051 Views
0 Kudos

avatar
author-rank anar
Explorer

Created ‎06-02-2016 05:30 AM

Hi Tahahiko, Yes, it works from beeline (without username/password), but I believe it is because I connect to beeline via CLI, which means I already have a Kerberos authentication for my username. I'm not sure what I should look for in Resource UI, it just shows the successful map/reduce job connected to my Java action, the log does not seem to contain much.

8,051 Views
0 Kudos
Announcements
What's New @ Cloudera
[RELEASED] Cloudera Streaming Analytics 1.14 for Cloudera Pu...
What's New @ Cloudera
Cloudera Data Engineering 1.23: Access Spark from Your Favor...
What's New @ Cloudera
HBase REST server scaling support is Generally Available
What's New @ Cloudera
New CLI option in the update-database command
What's New @ Cloudera
New Action menu item in the Cloudera Operational Database UI
View More Announcements