Cloudera Community

Support Questions

Find answers, ask questions, and share your expertise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Advanced Search
Solved Go to solution

Kerberos principal should have 3 parts: hive

Labels:
avatar
author-rank chrsvarma
Super Collaborator

Created ‎02-03-2017 09:05 PM

not able to start metastore....it is kerborized using Ambari, version 2.5.3

[hive@master2 ~]$ klist

klist: No credentials cache found (ticket cache FILE:/tmp/krb5cc_501)

[hive@master2 ~]$ kinit -k -t /etc/security/keytabs/hive.service.keytab hive/master2.chrsv.com@KERBEROS.COM [hive@master2 ~]$ klist

Ticket cache: FILE:/tmp/krb5cc_501

Default principal: hive/master2.chrsv.com@KERBEROS.COM

Valid starting Expires Service principal

02/03/17 14:55:41 02/04/17 14:55:41 krbtgt/KERBEROS.COM@KERBEROS.COM

renew until 02/03/17 14:55:41

[hive@master2 ~]$

6,997 Views
0 Kudos
1 ACCEPTED SOLUTION

avatar
author-rank chrsvarma
Super Collaborator

Created ‎02-17-2017 10:41 PM

this is because mysql is external to ambari and when kerberos is enabled ambari is not smart enough to recognize mysql and it didnot create keytabs for mysql. that was the reason hive was not able to start.

i still need to find out a way to create keytabs for non ambari components. as of now i moved these components to another server where all the services were deployed through ambari.

thanks to all for your help so far.

View solution in original post

6,099 Views
0 Kudos
6 REPLIES 6

avatar
author-rank icocio author-rank
Expert Contributor

Created ‎02-03-2017 09:18 PM

@Raja Sekhar Chintalapati

Can you share log information from the moment you try to start the metastore?

Also the output of --> klist -kte /etc/security/keytabs/hive.service.keytab

6,099 Views
0 Kudos

avatar
author-rank chrsvarma
Super Collaborator

Created ‎02-03-2017 09:32 PM

@icocio

[hive@master2 ~]$ klist -kte /etc/security/keytabs/hive.service.keytab Keytab name: FILE:/etc/security/keytabs/hive.service.keytab KVNO Timestamp Principal ---- ----------------- -------------------------------------------------------- 2 02/03/17 15:12:29 hive/master2.chrsv.com@KERBEROS.COM (arcfour-hmac) 2 02/03/17 15:12:29 hive/master2.chrsv.com@KERBEROS.COM (des-cbc-md5) 2 02/03/17 15:12:29 hive/master2.chrsv.com@KERBEROS.COM (aes256-cts-hmac-sha1-96) 2 02/03/17 15:12:29 hive/master2.chrsv.com@KERBEROS.COM (aes128-cts-hmac-sha1-96) 2 02/03/17 15:12:29 hive/master2.chrsv.com@KERBEROS.COM (des3-cbc-sha1) [hive@master2 ~]$

6,099 Views
0 Kudos

avatar
author-rank chrsvarma
Super Collaborator

Created ‎02-03-2017 09:37 PM

Feb 03 15:23:55 master2.chrsv.com krb5kdc[3363](info): TGS_REQ (4 etypes {18 17 16 23}) 192.168.56.21: ISSUE: authtime 1486153210, etypes {rep=18 tkt=18 ses=18}, nn/master1.chrsv.com@KERBEROS.COM for nn/master1.chrsv.com@KERBEROS.COM Feb 03 15:24:00 master2.chrsv.com krb5kdc[3363](info): AS_REQ (4 etypes {18 17 16 23}) 192.168.56.63: ISSUE: authtime 1486153440, etypes {rep=18 tkt=18 ses=18}, hdfs-hdp@KERBEROS.COM for krbtgt/KERBEROS.COM@KERBEROS.COM Feb 03 15:24:08 master2.chrsv.com krb5kdc[3363](info): AS_REQ (4 etypes {18 17 16 23}) 192.168.56.22: ISSUE: authtime 1486153448, etypes {rep=18 tkt=18 ses=18}, ambari-qa-hdp@KERBEROS.COM for krbtgt/KERBEROS.COM@KERBEROS.COM Feb 03 15:24:12 master2.chrsv.com krb5kdc[3363](info): TGS_REQ (4 etypes {18 17 16 23}) 192.168.56.22: ISSUE: authtime 1486153222, etypes {rep=18 tkt=18 ses=18}, nn/master2.chrsv.com@KERBEROS.COM for HTTP/master2.chrsv.com@KERBEROS.COM

I see services but not hive in krb5.log

6,099 Views
0 Kudos

avatar
author-rank rguruvannagari author-rank
Super Collaborator

Created ‎02-05-2017 05:32 AM

@Raja Sekhar Chintalapati

Can you share the hivemetastore log? Kerberos principal should have 3 parts would mean that kerberos principal provided for auth is incomplete ,this can happen if you have provided principal like hive/master2.chrsv.com(excluding REALM name) If you are trying to start from Ambari then you should see output.log and error.log from here we can see which principal is being used while starting the service and correct it in config according to that error.

6,099 Views
0 Kudos

avatar
author-rank chrsvarma
Super Collaborator

Created ‎02-17-2017 10:41 PM

this is because mysql is external to ambari and when kerberos is enabled ambari is not smart enough to recognize mysql and it didnot create keytabs for mysql. that was the reason hive was not able to start.

i still need to find out a way to create keytabs for non ambari components. as of now i moved these components to another server where all the services were deployed through ambari.

thanks to all for your help so far.

6,100 Views
0 Kudos

avatar
author-rank peter_coppens
Explorer

Created ‎03-10-2017 04:55 PM

Hello

Having the same issue 😞

I find in the hive meta store log

2017-03-10 16:50:52,164 INFO  [main]: zookeeper.ZooKeeper (Environment.java:logEnv(100)) - Client environment:user.name=hive

No idea where this is coming from though

All tips appreciated!

Peter

6,099 Views
0 Kudos
Announcements
What's New @ Cloudera
Cloudera Data Engineering 1.23: Access Spark from Your Favor...
What's New @ Cloudera
HBase REST server scaling support is Generally Available
What's New @ Cloudera
New CLI option in the update-database command
What's New @ Cloudera
New Action menu item in the Cloudera Operational Database UI
What's New @ Cloudera
Get the list of supported instance types in the Cloudera Ope...
View More Announcements