Support Questions

Find answers, ask questions, and share your expertise

Knox to HS2 gives response 401

avatar

Hi everyone,

I am facing an issue that bruns my brain for a couple of days; hope you will help me managing this.

I have a Hive Server 2 running in HTTP mode with Kerberos and I can connect well using beeline from another server of my cluster using bellow JDBC URi (after getting a Kerberos ticket with kinit):

jdbc:hive2://my_hive_server:10011/;principal=myprincipal/hostname@domain;transportMode=http;httpPath=cliservice

The problem comes when I try to connect to this Hive Server through Knox with LDAP user credentials; it gives me response 401 error. I have tried many configurations found on this community site and googling, but without success.

Same issue occurs using curl command:

curl -iv -k -u myuser:mypasswd -X GET 'https://my_knox_hostname:9443/gateway/default/hive/?op=LISTSTATUS'

* Server auth using Basic with user 'myuser'

> GET /gateway/default/hive/?op=LISTSTATUS HTTP/1.1

> Authorization: Basic WDExMTExNTpoYWhhaGE=

> User-Agent: curl/7.29.0 > Host: my_knox_hostname:9443

> Accept: */* >

< HTTP/1.1 401 Unauthorized

HTTP/1.1 401 Unauthorized

< Date: Mon, 04 Jun 2018 07:46:45 GMT Date: Mon, 04 Jun 2018 07:46:45 GMT

< Set-Cookie: JSESSIONID=5v2868pq8l6m1mc3lt5u6l156;Path=/gateway/default;Secure;HttpOnly

Set-Cookie: JSESSIONID=5v2868pq8l6m1mc3lt5u6l156;Path=/gateway/default;Secure;HttpOnly

< Expires: Thu, 01 Jan 1970 00:00:00 GMT

Expires: Thu, 01 Jan 1970 00:00:00 GMT

< Set-Cookie: rememberMe=deleteMe; Path=/gateway/default; Max-Age=0; Expires=Sun, 03-Jun-2018 07:46:45 GMT

Set-Cookie: rememberMe=deleteMe; Path=/gateway/default; Max-Age=0; Expires=Sun, 03-Jun-2018 07:46:45 GMT

< Server: Jetty(7.6.0.v20120127)

Server: Jetty(7.6.0.v20120127)

< Content-Length: 69

Content-Length: 69


<

Authentication Error: java.lang.reflect.UndeclaredThrowableException

* Connection #0 to host my_knox_hostname left intact

Some help would be appreciated; thnak you in advance.

Regards.

15 REPLIES 15

avatar
Contributor

Hello,

If you have kerberos, first do a kinit with your user account then add the --negotiate parameter to curl command to be like this

curl -iv --negotiate -u : "http://....."

avatar

@Hernán Fernández let me try this and I will come back to you.

Thank you.

avatar

@Hernán Fernández Here is result of bellow command:

curl -ivk --negotiate -u myuser:mypasswd 'https://my_knox_hostname:9443/gateway/default/hive/?op=LISTSTATUS'
* About to connect() to my_knox_hostname port 9443 (#0) * Trying XXX.XXX.XXX.XXX... * Connected to my_knox_hostname (XXX.XXX.XXX.XXX) port 9443 (#0) * Initializing NSS with certpath: sql:/etc/pki/nssdb * skipping SSL peer certificate verification * SSL connection using TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 * Server certificate: * * * > GET /gateway/default/hive/?op=LISTSTATUS HTTP/1.1 > User-Agent: curl/7.29.0 > Host: my_knox_hostname:9443 > Accept: */* > < HTTP/1.1 401 Unauthorized HTTP/1.1 401 Unauthorized < Date: Thu, 07 Jun 2018 14:41:27 GMT Date: Thu, 07 Jun 2018 14:41:27 GMT < WWW-Authenticate: BASIC realm="application" WWW-Authenticate: BASIC realm="application" < Content-Length: 0 Content-Length: 0 < Server: Jetty(9.2.15.v20160210) Server: Jetty(9.2.15.v20160210) < * Connection #0 to host my_knox_hostname left intact

avatar
Contributor

@Pirlouis Pirlouis

do a kinit with your user and run the curl without "myuser:mypasswd"

avatar

@Hernán Fernández same thing. Here is the command I typed:

curl -ivk --negotiate 'https://my_knox_hostname:9443/gateway/default/hive/?op=LISTSTATUS'

avatar

@Hernán Fernández do you have any other ideas, please ?

avatar

@Pirlouis Pirlouis

You should use a jdbc/odbc client (instead of direct curl commands to knox-hive). Try this:

# beeline
> !connect jdbc:hive2://my_knox_hostname:9443/;ssl=true;sslTrustStore=/var/lib/knox/data-*/security/keystores/gateway.jks;trustStorePassword=knox;transportMode=http;httpPath=gateway/default/hive

Above will prompt for user and password (type the same myuser:mypasswd)

For more information read here: https://hortonworks.com/blog/secure-jdbc-odbc-clients-access-hiveserver2/

HTH

*** If you found this answer addressed your question, please take a moment to login and click the "accept" link on the answer.

avatar

Thank you Felix Albani for your answer.

I forgot to mention that I get 401 reponse error using a similar beeline:

!connect jdbc:hive2://my_knox_hostname:9443/;ssl=true;transportMode=http;httpPath=gateway/default/hive;sslTrustStore=/etc/pki/ca-trust/extracted/java/cacerts;trustStorePassword=trust_passwd

avatar

@Pirlouis Pirlouis what is the full error stack you see while running beeline? Also tail -f the /var/log/hive/hiveserver2.log (hiveserver2 host) and the /var/log/knox/gateway.log (knox host) while running the beeline !connect, hopefully we will get more details as to why is failing.