Cloudera Community

Support Questions

Find answers, ask questions, and share your expertise
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Advanced Search
Solved Go to solution

LDAP: error code 49 when setting LDAP auth for HiveServer2

Labels:
avatar
author-rank Adija1
Super Collaborator

Created on ‎02-09-2016 04:20 PM - edited ‎08-19-2019 02:05 AM

Hello Gurus :) HDP 2.3.2 Ambari 2.1.2.1

I'm trying to setup HiveServer2 with LDAP authentication. It seems pretty straightforward: I performed the following: Changed HiveServer2 Authentication to LDAP

1954-1.png Then i setup my LDAP server url (as the Ambari requested): 1955-2.png Restarted the Hive but hiveserver2.log shows the following during it's startup: ERROR [HiveServer2-Handler-Pool: Thread-56]: transport.TSaslTransport (TSaslTransport.java:open(315)) - SASL negotiation failure javax.security.sasl.SaslException: Error validating the login [Caused by javax.security.sasl.AuthenticationException: Error validating LDAP user [Caused by javax.naming.AuthenticationException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C0903A9, comment: AcceptSecurityContext error, data 52e, v1db1]]]

According to the error LDAP 49 - 52e the problem is with the credentials that were passed to the LDAP server. I don't find any field \ parameter in which i set the LDAP user & password for authentication... Needless to say that the authentication acts as if it is set to NONE (which is a major problem....)

Any ideas ? Thanks in advance Adi J.

42,633 Views
0
2 ACCEPTED SOLUTIONS

avatar
author-rank amcbarnett
Guru

Created ‎02-10-2016 09:02 PM

@Adi Jabkowsky

Is this happening when HS2 is started ONLY or when you connect via Beeline or both?

Try the following:

  1. Your hive.server2.authentication.ldap.baseDN has a blank space. Remove the blank space and restart HS2 from Hosts in Ambari 
    #From
<property>
<name>hive.server2.authentication.ldap.baseDN</name>
<value> </value>
</property>

#To
<property>
<name>hive.server2.authentication.ldap.baseDN</name>
<value></value>
</property>
  2. Remove hive.server2.authentication.ldap.Domain or set to Blank. Then log into HS2 using beeline and set your user to myuser@corp.cellcom.co.il as your login and see if it authenticates
  3. Set hive.server2.enable.doAs to False so that Hive user executes the query,
  4. If you are using a Hive AD user, Double check that the hive AD UID is the same in /etc/passwd file. Make an archive of HS2 Logs, change /etc/passwd to have the same UUID as the AD hive user, and restart HS2.

View solution in original post

41,097 Views
0

avatar
author-rank florianc
Explorer

Created ‎06-29-2020 01:59 AM

Hi  @Adija1 .

 

Have you hever managed to find out where to indicate username and password for hiveserver2 to be able to auth against Ad LDAP ?

 

I currently have this error:

 

[LDAP: error code 49 - 80090308: LdapErr: DSID-0C090446, comment: AcceptSecurityContext error, data 52e, v2580]
 
But I have nowhere in Hive config (Ambari 3.1) to say what user and password to use, and even though this question has been asked at least twice on this post, no one answered...

View solution in original post

36,438 Views
0 Kudos
0
41 REPLIES 41

avatar
author-rank Adija1
Super Collaborator

Created ‎02-10-2016 07:17 AM

@Neeraj Sabharwal Sure, hive-site.xml FYI - i've marked out the domain controller name for security reasons. In the original file the real name is there of course.

hive-site.xml
Preview file
20 KB
8,700 Views

avatar
author-rank nsabharwal
Master Mentor

Created ‎02-10-2016 09:34 AM

@Adi Jabkowsky Thanks! Did you the text file that I shared?

8,699 Views
0 Kudos

avatar
author-rank Adija1
Super Collaborator

Created ‎02-10-2016 09:57 AM

@Neeraj Sabharwal

I went through the text file you uploaded and you can see these values in my hive-site.xml file. LDAP is there and also the LDAP url. I also added hive.server2.authentication.ldap.Domain because we use Active Directory (Not openLDAP). What i'm missing is the manager dn. There has to be a value where i set a user for authenticating against Active Directory but i don't find anything in your documentation about it. I did setup authentication for HUE & Ambari without problems and both use a specific user for authentication...

8,699 Views

avatar
author-rank nsabharwal
Master Mentor

Created ‎02-10-2016 09:59 AM

@Adi Jabkowsky Is your system/server synced with AD? When I enabled LDAP for hive, I did follow this http://hortonworks.com/blog/hadoop-groupmapping-ldap-integration/

8,699 Views
0 Kudos

avatar
author-rank Adija1
Super Collaborator

Created ‎02-10-2016 10:52 AM

@Neeraj Sabharwal This documentation is about group mapping. It is useful when you want to add permission to groups from AD to HDFS (this is why the mapping is done in core-site.xml which is in HDFS). Unfortunately it has nothing to do with hive authentication :( If your hive is set to authenticate against AD - could you maybe look in your hiveserver2.log and check for anything regarding LDAP during hive startup ? Maybe it will give a clue.

8,699 Views
0 Kudos

avatar
author-rank nsabharwal
Master Mentor

Created ‎02-10-2016 10:59 AM

@Adi Jabkowsky Thats the option when your server is not synced with LDAP

Is your system/server synced with AD? Are you able to login to server using AD account?

8,699 Views
0 Kudos

avatar
author-rank Adija1
Super Collaborator

Created ‎02-10-2016 11:05 AM

@Neeraj Sabharwal The linux server where hive is installed isn't connected to AD. We only use local accounts. But - hive is a service, just like Ambari & Hue. To Ambari & Hue which are running on the same machine we login using our AD accounts, because those services are configured to authenticate using AD.

8,699 Views
0 Kudos

avatar
author-rank nsabharwal
Master Mentor

Created ‎02-10-2016 11:09 AM

@Adi Jabkowsky

What error do you get when you login to beeline and provide your LDAP username and password? I am getting this error

2: jdbc:hive2://localhost:10000 (closed)> !connect jdbc:hive2://localhost:10000

Connecting to jdbc:hive2://localhost:10000

Enter username for jdbc:hive2://localhost:10000: aa

Enter password for jdbc:hive2://localhost:10000: **

Error: Could not open client transport with JDBC Uri: jdbc:hive2://localhost:10000: Peer indicated failure: Error validating the login (state=08S01,code=0)

3: jdbc:hive2://localhost:10000 (closed)>

8,699 Views
0 Kudos

avatar
author-rank Adija1
Super Collaborator

Created on ‎02-10-2016 11:45 AM - edited ‎08-19-2019 02:05 AM

@Neeraj Sabharwal I get this error: Error: Could not open client transport with JDBC Uri: jdbc:hive2://localhost:10010/default: Peer indicated failure: Error validating the login (state=08S01,code=0) Which means that LDAP auth doesn't work. Also you can see that HUE is also not working (beeswax also complains on authentication problem)

1976-snap-2016-02-10-at-134627.png

8,699 Views

avatar
author-rank nsabharwal
Master Mentor

Created ‎02-10-2016 12:23 PM

@Adi Jabkowsky I am replicating this

Are you getting this in your hive logs?

2016-02-10 04:23:51,190 ERROR [HiveServer2-Handler-Pool: Thread-45]: transport.TSaslTransport (TSaslTransport.java:open(315)) - SASL negotiation failure

javax.security.sasl.SaslException: Error validating the login [Caused by javax.security.sasl.AuthenticationException: Error validating LDAP user [Caused by javax.naming.AuthenticationException: [LDAP: error code 32 - No Such Object]]]

at org.apache.hive.service.auth.PlainSaslServer.evalu

8,699 Views
0 Kudos
Announcements
What's New @ Cloudera
[RELEASED] Cloudera Streaming Analytics - Kubernetes Operato...
What's New @ Cloudera
[RELEASED] Cloudera Streams Messaging - Kubernetes Operator ...
Community Announcements
February 2025 Community Highlights
What's New @ Cloudera
3 Benefits of External IDE Connectivity, Now Available in Cl...
What's New @ Cloudera
Performance comparison of Spark3 on YARN with S3 Standard VS...
View More Announcements