Support Questions

Find answers, ask questions, and share your expertise

Kerberos principal should have 3 parts: hive

Expert Contributor

not able to start metastore....it is kerborized using Ambari, version 2.5.3

[hive@master2 ~]$ klist

klist: No credentials cache found (ticket cache FILE:/tmp/krb5cc_501)

[hive@master2 ~]$ kinit -k -t /etc/security/keytabs/hive.service.keytab hive/master2.chrsv.com@KERBEROS.COM [hive@master2 ~]$ klist

Ticket cache: FILE:/tmp/krb5cc_501

Default principal: hive/master2.chrsv.com@KERBEROS.COM

Valid starting Expires Service principal

02/03/17 14:55:41 02/04/17 14:55:41 krbtgt/KERBEROS.COM@KERBEROS.COM

renew until 02/03/17 14:55:41

[hive@master2 ~]$

1 ACCEPTED SOLUTION

Expert Contributor

this is because mysql is external to ambari and when kerberos is enabled ambari is not smart enough to recognize mysql and it didnot create keytabs for mysql. that was the reason hive was not able to start.

i still need to find out a way to create keytabs for non ambari components. as of now i moved these components to another server where all the services were deployed through ambari.

thanks to all for your help so far.

View solution in original post

6 REPLIES 6

Rising Star

@Raja Sekhar Chintalapati

Can you share log information from the moment you try to start the metastore?

Also the output of --> klist -kte /etc/security/keytabs/hive.service.keytab

Expert Contributor

@icocio

[hive@master2 ~]$ klist -kte /etc/security/keytabs/hive.service.keytab Keytab name: FILE:/etc/security/keytabs/hive.service.keytab KVNO Timestamp Principal ---- ----------------- -------------------------------------------------------- 2 02/03/17 15:12:29 hive/master2.chrsv.com@KERBEROS.COM (arcfour-hmac) 2 02/03/17 15:12:29 hive/master2.chrsv.com@KERBEROS.COM (des-cbc-md5) 2 02/03/17 15:12:29 hive/master2.chrsv.com@KERBEROS.COM (aes256-cts-hmac-sha1-96) 2 02/03/17 15:12:29 hive/master2.chrsv.com@KERBEROS.COM (aes128-cts-hmac-sha1-96) 2 02/03/17 15:12:29 hive/master2.chrsv.com@KERBEROS.COM (des3-cbc-sha1) [hive@master2 ~]$

Expert Contributor

Feb 03 15:23:55 master2.chrsv.com krb5kdc[3363](info): TGS_REQ (4 etypes {18 17 16 23}) 192.168.56.21: ISSUE: authtime 1486153210, etypes {rep=18 tkt=18 ses=18}, nn/master1.chrsv.com@KERBEROS.COM for nn/master1.chrsv.com@KERBEROS.COM Feb 03 15:24:00 master2.chrsv.com krb5kdc[3363](info): AS_REQ (4 etypes {18 17 16 23}) 192.168.56.63: ISSUE: authtime 1486153440, etypes {rep=18 tkt=18 ses=18}, hdfs-hdp@KERBEROS.COM for krbtgt/KERBEROS.COM@KERBEROS.COM Feb 03 15:24:08 master2.chrsv.com krb5kdc[3363](info): AS_REQ (4 etypes {18 17 16 23}) 192.168.56.22: ISSUE: authtime 1486153448, etypes {rep=18 tkt=18 ses=18}, ambari-qa-hdp@KERBEROS.COM for krbtgt/KERBEROS.COM@KERBEROS.COM Feb 03 15:24:12 master2.chrsv.com krb5kdc[3363](info): TGS_REQ (4 etypes {18 17 16 23}) 192.168.56.22: ISSUE: authtime 1486153222, etypes {rep=18 tkt=18 ses=18}, nn/master2.chrsv.com@KERBEROS.COM for HTTP/master2.chrsv.com@KERBEROS.COM

I see services but not hive in krb5.log

Super Collaborator
@Raja Sekhar Chintalapati

Can you share the hivemetastore log? Kerberos principal should have 3 parts would mean that kerberos principal provided for auth is incomplete ,this can happen if you have provided principal like hive/master2.chrsv.com(excluding REALM name) If you are trying to start from Ambari then you should see output.log and error.log from here we can see which principal is being used while starting the service and correct it in config according to that error.

Expert Contributor

this is because mysql is external to ambari and when kerberos is enabled ambari is not smart enough to recognize mysql and it didnot create keytabs for mysql. that was the reason hive was not able to start.

i still need to find out a way to create keytabs for non ambari components. as of now i moved these components to another server where all the services were deployed through ambari.

thanks to all for your help so far.

Hello

Having the same issue 😞

I find in the hive meta store log

2017-03-10 16:50:52,164 INFO  [main]: zookeeper.ZooKeeper (Environment.java:logEnv(100)) - Client environment:user.name=hive

No idea where this is coming from though

All tips appreciated!

Peter