Support Questions
Find answers, ask questions, and share your expertise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Advanced Search

Secured Hive Streaming Kerberos Exception

Highlighted

Secured Hive Streaming Kerberos Exception

opaoeyes
Explorer

Created ‎07-18-2017 02:45 PM

Hello,

I am using secured hive streaming , in a cluster with Kerberos Authentication.

I use hadoop : 2.7.3.2.6.1.0-129

hive : 1.2.1000.2.6.1.0-129

I am able to get the Ugi authenticated with my kerberos id and keytab at 

ugi = UserGroupInformation.loginUserFromKeytabAndReturnUGI("user@XX.YYYY.NET", "/home/xx/user.keytab");

but later when the fetchTransactionBatch is called, Kerberos IO failure occurs at 

TransactionBatch txnBatch = secureConn.fetchTransactionBatch(numTrx, writer);

code snippet:

HiveEndPoint hiveEP = new HiveEndPoint(hiveConf.getVar(ConfVars.METASTOREURIS), database, table, partArray);
Configuration conf = new Configuration();
conf.set("hadoop.security.authentication", "kerberos");
System.setProperty( "java.security.krb5.conf", "//etc//krb5.conf");
UserGroupInformation ugi;
UserGroupInformation.setConfiguration(conf);
ugi = UserGroupInformation.loginUserFromKeytabAndReturnUGI("user@XX.YYYY.NET", "/home/xx/user.keytab");
if (ugi==null)
{
return;
}
UserGroupInformation.setLoginUser(ugi);
StreamingConnection secureConn = hiveEP.newConnection(true, hiveConf, ugi);
int numTrx = 2;
String[] fieldNames = {"number", "name"};
boolean ifc = ugi.hasKerberosCredentials();
DelimitedInputWriter writer = new DelimitedInputWriter(fieldNames,",", hiveEP);
TransactionBatch txnBatch = secureConn.fetchTransactionBatch(numTrx, writer);

Exception at : TransactionBatch txnBatch = secureConn.fetchTransactionBatch(numTrx, writer);

java.lang.reflect.UndeclaredThrowableException at org.apache.hadoop.security.UserGroupInformation.doAs(UserGroupInformation.java:1884) at org.apache.hive.hcatalog.streaming.HiveEndPoint$ConnectionImpl.fetchTransactionBatch(HiveEndPoint.java:424) at ns.KClass.<init>(KClass.java:112) at ns.KClass.main(KClass.java:45) Caused by: org.apache.hive.hcatalog.streaming.StreamingIOFailure: Failed creating RecordUpdaterS for hdfs://MAIN/hdfs/path/to/database.db/acid1 txnIds[113,114] at org.apache.hive.hcatalog.streaming.AbstractRecordWriter.newBatch(AbstractRecordWriter.java:193)

caused by: java.io.IOException: org.apache.hadoop.security.AccessControlException: Client cannot authenticate via:[TOKEN, KERBEROS]; Host Details : local host is: "lh.net/1.2.3.4"; destination host is: "yyy.net":8020;

Can someone tell me how to solve this exception and get the Transaction batch.

Thanks.

Reply
726 Views
0 Kudos
1 REPLY 1
Highlighted

Re: Secured Hive Streaming Kerberos Exception

mqureshi
Super Guru

Created ‎07-18-2017 04:36 PM

@Opao E

If I understand correctly, you need to provide kerberos principal for hive in your UGI call and then pass your "user@XX.MADM.NET" as proxy.

UserGroupInformation ugi = UserGroupInformation.loginUserFromKeytabAndReturnUGI (configurationService.kerberos_principal, configurationService.kerberos_keytab);
//kerberos principal here is:
/* <property>
  <name>hive.server2.authentication.kerberos.principal</name>
  <value>hive/_HOST@YOUR-REALM.COM</value>
</property>
*/
Class.forName(configurationService.hive_JDBC_DRIVER);

String uri = configurationService.hive_JDBC_DB_URL + "/" + db + ";principal=" +
configurationService.kerberos_hiveServer2Principal
+ ";hive.server2.proxy.user=" + UserUtil.getUserName(); //replace UserUtil.getUserName() with your username.
Reply
265 Views
0 Kudos
Don't have an account?
Register