Support Questions
Find answers, ask questions, and share your expertise
Announcements
Alert: Welcome to the Unified Cloudera Community. Former HCC members be sure to read and learn how to activate your account here.

Should Nifi be kerberized in order to access Kerberized Hive?

Should Nifi be kerberized in order to access Kerberized Hive?

Contributor

When I am trying to connect to Secure Hive from an Unsecured Nifi, getting the below error -

Caused by: org.ietf.jgss.GSSException: No valid credentials provided (Mechanism level: Failed to find any Kerberos tgt)
        at sun.security.jgss.krb5.Krb5InitCredential.getInstance(Krb5InitCredential.java:147)
        at sun.security.jgss.krb5.Krb5MechFactory.getCredentialElement(Krb5MechFactory.java:122)
        at sun.security.jgss.krb5.Krb5MechFactory.getMechanismContext(Krb5MechFactory.java:187)
        at sun.security.jgss.GSSManagerImpl.getMechanismContext(GSSManagerImpl.java:224)
        at sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:212)
        at sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:179)
        at org.apache.hive.service.auth.HttpAuthUtils$HttpKerberosClientAction.run(HttpAuthUtils.java:183)
        at org.apache.hive.service.auth.HttpAuthUtils$HttpKerberosClientAction.run(HttpAuthUtils.java:151)
        at java.security.AccessController.doPrivileged(Native Method)
        at javax.security.auth.Subject.doAs(Subject.java:422)
        at org.apache.hadoop.security.UserGroupInformation.doAs(UserGroupInformation.java:1866)
        ... 45 common frames omitted

39548-capture.png

Should Nifi be kerberized in order to access Kerberized Hive? Is any additional required?

12 REPLIES 12

Re: Should Nifi be kerberized in order to access Kerberized Hive?

Expert Contributor

Hi @Hemant,

No Nifi doesn't need to be kerberized but you need to install the kerberos client on the os (where nifi is installed) in order to be able to request a ticket.

Michel

Re: Should Nifi be kerberized in order to access Kerberized Hive?

Contributor

Hello @msumbul Kerberos client is installed and I am able to access HDFS without any issues but when I am trying to connect to Hive I am facing the error - errorlog.txt

Re: Should Nifi be kerberized in order to access Kerberized Hive?

Expert Contributor

Hi @Hemant,

Did you configure the nifi.kerberos.krb5.file in your nifi.properties?

Re: Should Nifi be kerberized in order to access Kerberized Hive?

Expert Contributor

For info, I think that once you configure that property, you need to restart nifi

Re: Should Nifi be kerberized in order to access Kerberized Hive?

Contributor

Hello @msumbul

nifi.kerberos.krb5.file is configured in the properties file.

,

Re: Should Nifi be kerberized in order to access Kerberized Hive?

Expert Contributor

@Hemant

for the user do you have this structure: hive/FQDN@MY_REALM ?

Re: Should Nifi be kerberized in order to access Kerberized Hive?

Contributor

@msumbul Yes, The principal is in the standard format

Re: Should Nifi be kerberized in order to access Kerberized Hive?

Expert Contributor

@Hemant,

You said that you were able to interact with hdfs from the host that has nifi. How did you get the ticket to interact wit hdfs? Are you able to create a ticket with the user and keytab mentionned in the configuration or the processor? (Just to be sure that the key tab is working well

Re: Should Nifi be kerberized in order to access Kerberized Hive?

Expert Contributor

can nifi user access that keytab? try using the keytab with kinit and try to connect with beeline and see if that works. also you can try adding this property to nifi -Dsun.security.krb5.debug=true , that will give you some detailed logs to figure if there is anything wrong with the TGT.

Don't have an account?
Coming from Hortonworks? Activate your account here