Cloudera Community

Support Questions

Find answers, ask questions, and share your expertise
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Advanced Search
Solved Go to solution

Kerberos principal should have 3 parts: hive

Labels:
avatar
author-rank chrsvarma
Super Collaborator

Created ‎02-03-2017 09:05 PM

not able to start metastore....it is kerborized using Ambari, version 2.5.3

[hive@master2 ~]$ klist

klist: No credentials cache found (ticket cache FILE:/tmp/krb5cc_501)

[hive@master2 ~]$ kinit -k -t /etc/security/keytabs/hive.service.keytab hive/master2.chrsv.com@KERBEROS.COM [hive@master2 ~]$ klist

Ticket cache: FILE:/tmp/krb5cc_501

Default principal: hive/master2.chrsv.com@KERBEROS.COM

Valid starting Expires Service principal

02/03/17 14:55:41 02/04/17 14:55:41 krbtgt/KERBEROS.COM@KERBEROS.COM

renew until 02/03/17 14:55:41

[hive@master2 ~]$

7,483 Views
0 Kudos
0
1 ACCEPTED SOLUTION

avatar
author-rank chrsvarma
Super Collaborator

Created ‎02-17-2017 10:41 PM

this is because mysql is external to ambari and when kerberos is enabled ambari is not smart enough to recognize mysql and it didnot create keytabs for mysql. that was the reason hive was not able to start.

i still need to find out a way to create keytabs for non ambari components. as of now i moved these components to another server where all the services were deployed through ambari.

thanks to all for your help so far.

View solution in original post

6,585 Views
0 Kudos
0
6 REPLIES 6

avatar
author-rank icocio author-rank
Expert Contributor

Created ‎02-03-2017 09:18 PM

@Raja Sekhar Chintalapati

Can you share log information from the moment you try to start the metastore?

Also the output of --> klist -kte /etc/security/keytabs/hive.service.keytab

6,585 Views
0 Kudos

avatar
author-rank chrsvarma
Super Collaborator

Created ‎02-03-2017 09:32 PM

@icocio

[hive@master2 ~]$ klist -kte /etc/security/keytabs/hive.service.keytab Keytab name: FILE:/etc/security/keytabs/hive.service.keytab KVNO Timestamp Principal ---- ----------------- -------------------------------------------------------- 2 02/03/17 15:12:29 hive/master2.chrsv.com@KERBEROS.COM (arcfour-hmac) 2 02/03/17 15:12:29 hive/master2.chrsv.com@KERBEROS.COM (des-cbc-md5) 2 02/03/17 15:12:29 hive/master2.chrsv.com@KERBEROS.COM (aes256-cts-hmac-sha1-96) 2 02/03/17 15:12:29 hive/master2.chrsv.com@KERBEROS.COM (aes128-cts-hmac-sha1-96) 2 02/03/17 15:12:29 hive/master2.chrsv.com@KERBEROS.COM (des3-cbc-sha1) [hive@master2 ~]$

6,585 Views
0 Kudos

avatar
author-rank chrsvarma
Super Collaborator

Created ‎02-03-2017 09:37 PM

Feb 03 15:23:55 master2.chrsv.com krb5kdc[3363](info): TGS_REQ (4 etypes {18 17 16 23}) 192.168.56.21: ISSUE: authtime 1486153210, etypes {rep=18 tkt=18 ses=18}, nn/master1.chrsv.com@KERBEROS.COM for nn/master1.chrsv.com@KERBEROS.COM Feb 03 15:24:00 master2.chrsv.com krb5kdc[3363](info): AS_REQ (4 etypes {18 17 16 23}) 192.168.56.63: ISSUE: authtime 1486153440, etypes {rep=18 tkt=18 ses=18}, hdfs-hdp@KERBEROS.COM for krbtgt/KERBEROS.COM@KERBEROS.COM Feb 03 15:24:08 master2.chrsv.com krb5kdc[3363](info): AS_REQ (4 etypes {18 17 16 23}) 192.168.56.22: ISSUE: authtime 1486153448, etypes {rep=18 tkt=18 ses=18}, ambari-qa-hdp@KERBEROS.COM for krbtgt/KERBEROS.COM@KERBEROS.COM Feb 03 15:24:12 master2.chrsv.com krb5kdc[3363](info): TGS_REQ (4 etypes {18 17 16 23}) 192.168.56.22: ISSUE: authtime 1486153222, etypes {rep=18 tkt=18 ses=18}, nn/master2.chrsv.com@KERBEROS.COM for HTTP/master2.chrsv.com@KERBEROS.COM

I see services but not hive in krb5.log

6,585 Views
0 Kudos

avatar
author-rank rguruvannagari author-rank
Super Collaborator

Created ‎02-05-2017 05:32 AM

@Raja Sekhar Chintalapati

Can you share the hivemetastore log? Kerberos principal should have 3 parts would mean that kerberos principal provided for auth is incomplete ,this can happen if you have provided principal like hive/master2.chrsv.com(excluding REALM name) If you are trying to start from Ambari then you should see output.log and error.log from here we can see which principal is being used while starting the service and correct it in config according to that error.

6,585 Views
0 Kudos

avatar
author-rank chrsvarma
Super Collaborator

Created ‎02-17-2017 10:41 PM

this is because mysql is external to ambari and when kerberos is enabled ambari is not smart enough to recognize mysql and it didnot create keytabs for mysql. that was the reason hive was not able to start.

i still need to find out a way to create keytabs for non ambari components. as of now i moved these components to another server where all the services were deployed through ambari.

thanks to all for your help so far.

6,586 Views
0 Kudos
0

avatar
author-rank peter_coppens
Explorer

Created ‎03-10-2017 04:55 PM

Hello

Having the same issue 😞

I find in the hive meta store log

2017-03-10 16:50:52,164 INFO  [main]: zookeeper.ZooKeeper (Environment.java:logEnv(100)) - Client environment:user.name=hive

No idea where this is coming from though

All tips appreciated!

Peter

6,585 Views
0 Kudos
Announcements
What's New @ Cloudera
[RELEASED] Cloudera Streaming Analytics - Kubernetes Operato...
What's New @ Cloudera
[RELEASED] Cloudera Streams Messaging - Kubernetes Operator ...
Community Announcements
February 2025 Community Highlights
What's New @ Cloudera
3 Benefits of External IDE Connectivity, Now Available in Cl...
What's New @ Cloudera
Performance comparison of Spark3 on YARN with S3 Standard VS...
View More Announcements