Cloudera Community

Support Questions

Find answers, ask questions, and share your expertise
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Advanced Search
Solved Go to solution

LDAP: error code 49 when setting LDAP auth for HiveServer2

Labels:
avatar
author-rank Adija1
Super Collaborator

Created on ‎02-09-2016 04:20 PM - edited ‎08-19-2019 02:05 AM

Hello Gurus :) HDP 2.3.2 Ambari 2.1.2.1

I'm trying to setup HiveServer2 with LDAP authentication. It seems pretty straightforward: I performed the following: Changed HiveServer2 Authentication to LDAP

1954-1.png Then i setup my LDAP server url (as the Ambari requested): 1955-2.png Restarted the Hive but hiveserver2.log shows the following during it's startup: ERROR [HiveServer2-Handler-Pool: Thread-56]: transport.TSaslTransport (TSaslTransport.java:open(315)) - SASL negotiation failure javax.security.sasl.SaslException: Error validating the login [Caused by javax.security.sasl.AuthenticationException: Error validating LDAP user [Caused by javax.naming.AuthenticationException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C0903A9, comment: AcceptSecurityContext error, data 52e, v1db1]]]

According to the error LDAP 49 - 52e the problem is with the credentials that were passed to the LDAP server. I don't find any field \ parameter in which i set the LDAP user & password for authentication... Needless to say that the authentication acts as if it is set to NONE (which is a major problem....)

Any ideas ? Thanks in advance Adi J.

42,394 Views
0
2 ACCEPTED SOLUTIONS

avatar
author-rank amcbarnett
Guru

Created ‎02-10-2016 09:02 PM

@Adi Jabkowsky

Is this happening when HS2 is started ONLY or when you connect via Beeline or both?

Try the following:

  1. Your hive.server2.authentication.ldap.baseDN has a blank space. Remove the blank space and restart HS2 from Hosts in Ambari 
    #From
<property>
<name>hive.server2.authentication.ldap.baseDN</name>
<value> </value>
</property>

#To
<property>
<name>hive.server2.authentication.ldap.baseDN</name>
<value></value>
</property>
  2. Remove hive.server2.authentication.ldap.Domain or set to Blank. Then log into HS2 using beeline and set your user to myuser@corp.cellcom.co.il as your login and see if it authenticates
  3. Set hive.server2.enable.doAs to False so that Hive user executes the query,
  4. If you are using a Hive AD user, Double check that the hive AD UID is the same in /etc/passwd file. Make an archive of HS2 Logs, change /etc/passwd to have the same UUID as the AD hive user, and restart HS2.

View solution in original post

40,858 Views
0

avatar
author-rank florianc
Explorer

Created ‎06-29-2020 01:59 AM

Hi  @Adija1 .

 

Have you hever managed to find out where to indicate username and password for hiveserver2 to be able to auth against Ad LDAP ?

 

I currently have this error:

 

[LDAP: error code 49 - 80090308: LdapErr: DSID-0C090446, comment: AcceptSecurityContext error, data 52e, v2580]
 
But I have nowhere in Hive config (Ambari 3.1) to say what user and password to use, and even though this question has been asked at least twice on this post, no one answered...

View solution in original post

36,199 Views
0 Kudos
0
41 REPLIES 41

avatar
author-rank amiller
Guru

Created ‎02-10-2016 07:09 PM

@Adi Jabkowsky I think it attempts to bind as the user being authenticated.

Additional LDAP properties are available in Hive 1.3:

https://cwiki.apache.org/confluence/display/Hive/Setting+Up+HiveServer2#SettingUpHiveServer2-Authent...

6,366 Views

avatar
author-rank Adija1
Super Collaborator

Created ‎02-10-2016 08:29 PM

@Alex Miller

As far as i know HDP 2.3.4 which the latest available form Hortonworks comes with hive 1.2.1 so if i want a higher version of hive i need to install it separately and it won't be managed under Ambari. I'd rather stay with the current 1.2.1 which is pretty high. Anyways - i really would be glad to get in touch with anyone on this planet who has managed to configure AD authentication for hive :)

6,360 Views

avatar
author-rank nsabharwal
Master Mentor

Created on ‎02-10-2016 08:32 PM - edited ‎08-19-2019 02:05 AM

@Adi Jabkowsky

Please see this ..I am able to login using ldap credentials

You have to have correcy baseDN

2005-screen-shot-2016-02-10-at-33110-pm.png

2006-screen-shot-2016-02-10-at-33141-pm.png

6,513 Views

avatar
author-rank nsabharwal
Master Mentor

Created ‎02-10-2016 08:32 PM

@Adi Jabkowsky Its openldap

6,513 Views
0 Kudos

avatar
author-rank amcbarnett
Guru

Created ‎02-10-2016 09:02 PM

@Adi Jabkowsky

Is this happening when HS2 is started ONLY or when you connect via Beeline or both?

Try the following:

  1. Your hive.server2.authentication.ldap.baseDN has a blank space. Remove the blank space and restart HS2 from Hosts in Ambari 
    #From
<property>
<name>hive.server2.authentication.ldap.baseDN</name>
<value> </value>
</property>

#To
<property>
<name>hive.server2.authentication.ldap.baseDN</name>
<value></value>
</property>
  2. Remove hive.server2.authentication.ldap.Domain or set to Blank. Then log into HS2 using beeline and set your user to myuser@corp.cellcom.co.il as your login and see if it authenticates
  3. Set hive.server2.enable.doAs to False so that Hive user executes the query,
  4. If you are using a Hive AD user, Double check that the hive AD UID is the same in /etc/passwd file. Make an archive of HS2 Logs, change /etc/passwd to have the same UUID as the AD hive user, and restart HS2.
40,859 Views
0

avatar
author-rank Adija1
Super Collaborator

Created ‎02-11-2016 09:21 AM

@Ancil McBarnett

Hi Ancil and thank you for your response! Good observation about the blank space ! I removed it and yet unable to authenticate (using beeline). However - i was able to authenticate after disabling the doAs !!! The doAs is important to me because if i understand correct, when doAs is disabled - all of the Hive queries are performed as the hive user and not as the end user. It's a problematic for auditing. I need to know exactly who performed the queries.... I wanna experiment a little bit more and get back to you all with my results.

Thanks!!

6,513 Views

avatar
author-rank Adija1
Super Collaborator

Created ‎02-11-2016 12:41 PM

@Ancil McBarnett

Ancil you hit the nail right on the head ! Here are the final results:

1. When changing hive auth to LDAP in Ambari - a blank space is added to hive.server2.authentication.ldap.baseDN. That is a problem and must be taken care of!

2. Disabling doAs fixes the auth and also maintains the end user that queries ! (So i'm not sure what's the purpose of this value...)

3. hive.server2.authentication.ldap.Domain doesn't work. Only after removing it and using FQDN for authentication works.

Thank you Ancil and thank you all for helping out. This forum is awesome !!

6,513 Views

avatar
author-rank frank93
Super Collaborator

Created ‎03-11-2016 10:02 AM

Hi, I have exactly the same problem. I have done everything like Adi wrote and still got LDAP 49/52e. I can log in to ldapadmin using the same credentials as beeline rejects the authenticate.

6,513 Views
0 Kudos

avatar
author-rank Adija1
Super Collaborator

Created ‎02-11-2016 12:43 PM

@Neeraj Sabharwal Thank you so much for helping !!

6,513 Views

avatar
author-rank All
Explorer

Created ‎05-18-2016 12:42 PM

@Adi jabkowsky With your Previous issue you can use without any changes. You have to enter username@REALM then Password, It will work defiantly 🙂

6,513 Views
0 Kudos
Announcements
What's New @ Cloudera
[RELEASED] Cloudera Streaming Analytics - Kubernetes Operato...
What's New @ Cloudera
[RELEASED] Cloudera Streams Messaging - Kubernetes Operator ...
Community Announcements
February 2025 Community Highlights
What's New @ Cloudera
3 Benefits of External IDE Connectivity, Now Available in Cl...
What's New @ Cloudera
Performance comparison of Spark3 on YARN with S3 Standard VS...
View More Announcements