Support Questions
Find answers, ask questions, and share your expertise
Announcements
Alert: Welcome to the Unified Cloudera Community. Former HCC members be sure to read and learn how to activate your account here.

Kerberos principal should have 3 parts in sandbox HDP 2.5

Highlighted

Re: Kerberos principal should have 3 parts in sandbox HDP 2.5

Expert Contributor

After reading the hive source code, the correct principle should be hive/sandbox.hortonworks.com@EXAMPLE.COM which has 3 parts, but from the above message, it is hive. And I checked the hive-site.xml, the property hive.metastore.kerberos.principal is correct

Highlighted

Re: Kerberos principal should have 3 parts in sandbox HDP 2.5

Expert Contributor

Anyone else can help ? Thanks

Re: Kerberos principal should have 3 parts in sandbox HDP 2.5

New Contributor

@jzhang I was facing similar problem. I added the following to core-site.xml and problem was resolved. Property to watch out for is "hadoop.security.auth_to_local"

<property>
  <name>hadoop.security.authentication</name>
  <value>kerberos</value>
</property>
<property>
  <name>hadoop.security.authorization</name>
  <value>true</value>
</property>
<property>
  <name>hadoop.security.auth_to_local</name>
  <value>
  RULE:[2:$1@$0](hive/.*@.*EXAMPLE.COM)s/.*/hive/
  DEFAULT
  </value>
</property>
Highlighted

Re: Kerberos principal should have 3 parts in sandbox HDP 2.5

New Contributor

Hi, I have the exact same problem. I am using the Spark thrift server with the following configuration in hive-site.xml:

<configuration>
<!--
    <property>
       <name>hive.server2.transport.mode</name>
       <value>http</value>
    </property>
-->
        <property>
             <name>hive.server2.authentication</name>
             <value>KERBEROS</value>
        </property>
        <property>
              <name>hive.metastore.kerberos.principal</name>
              <value>thrift/iman@EXAMPLE.COM</value>
        </property>
        <property>
              <name>hive.server2.authentication.kerberos.principal</name>
              <value>thrift/iman@EXAMPLE.COM</value>
        </property>
        <property>
             <name>hive.server2.authentication.kerberos.keytab</name>
             <value>/opt/nginx/iman.keytab</value>
             <description>Keytab file for Spark Thrift server principal</description>  
        </property>
</configuration>

When I start the thrift server by running start-thriftserver.sh, the following error occurs:

18/02/19 18:16:57 ERROR ThriftCLIService: Error starting HiveServer2: could not start ThriftBinaryCLIService
javax.security.auth.login.LoginException: Kerberos principal should have 3 parts: spark
        at org.apache.hive.service.auth.HiveAuthFactory.getAuthTransFactory(HiveAuthFactory.java:148)
        at org.apache.hive.service.cli.thrift.ThriftBinaryCLIService.run(ThriftBinaryCLIService.java:58)
        at java.lang.Thread.run(Thread.java:748)
18/02/19 18:16:57 INFO HiveServer2: Shutting down HiveServer2


It seems like thrift is mistakingly taking the current user name (spark) as principal name, but if I omit the hive.server2.authentication.kerberos.principal in the config file it would result in "no principal specified" error so it's not missing the configuration entry.

I've had a frustrating time with Kerberos and Apache Thrift. can anyone please help? thanks in advance.

Don't have an account?
Coming from Hortonworks? Activate your account here