Cloudera Community

Support Questions

Find answers, ask questions, and share your expertise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Advanced Search
Announcements
Celebrating as our community reaches 100,000 members! Thank you!
Solved Go to solution

Unable to configure hive to use ldap auth

Labels:
avatar
author-rank florianc
Explorer

Created on ‎06-24-2020 06:15 AM - edited ‎06-24-2020 06:24 AM

Environment

 

HDP-3.1.0.0

Hive3.0.0.3.1

 

Context

 

I am trying to configure hive to use LDAP (AD). But hiveserver2 throws errors when restarted. Similar errors are visible when connecting to beeline.

 

Configuration

hive-site.xml (truncated)

 

 

 

 

 

<configuration xmlns:xi="http://www.w3.org/2001/XInclude">
    <property>
        <name>hive.server2.enable.doAs</name>
        <value>false</value>
    </property>

    <property>
        <name>hive.server2.authentication</name>
        <value>LDAP</value>
    </property>

    <property>
        <name>hive.server2.authentication.ldap.baseDN</name>
        <value>DC=MYDC,DC=MYDC</value>
    </property>

    <property>
        <name>hive.server2.authentication.ldap.Domain</name>
        <value>DOMAIN</value>
    </property>

    <property>
        <name>hive.server2.authentication.ldap.url</name>
        <value>ldap:node:port</value>
    </property>
</configuration>

 

 

 

 

 

Errors

In hiveserver2.log

 

2020-06-24T07:04:49,054 ERROR [HiveServer2-Handler-Pool: Thread-60]: transport.TSaslTransport (:()) - SASL negotiation failure javax.security.sasl.SaslException: Error validating the login
        at org.apache.hive.service.auth.PlainSaslServer.evaluateResponse(PlainSaslServer.java:110) ~[hive-service-3.1.0.3.1.0.0-78.jar:3.1.0.3.1.0.0-78]
        at org.apache.thrift.transport.TSaslTransport$SaslParticipant.evaluateChallengeOrResponse(TSaslTransport.java:539) ~[hive-exec-3.1.0.3.1.0.0-78.jar:3.1.0.3.1.0.0-78]
        at org.apache.thrift.transport.TSaslTransport.open(TSaslTransport.java:283) ~[hive-exec-3.1.0.3.1.0.0-78.jar:3.1.0.3.1.0.0-78]
        at org.apache.thrift.transport.TSaslServerTransport.open(TSaslServerTransport.java:41) ~[hive-exec-3.1.0.3.1.0.0-78.jar:3.1.0.3.1.0.0-78]
        at org.apache.thrift.transport.TSaslServerTransport$Factory.getTransport(TSaslServerTransport.java:216) ~[hive-exec-3.1.0.3.1.0.0-78.jar:3.1.0.3.1.0.0-78]
        at org.apache.thrift.server.TThreadPoolServer$WorkerProcess.run(TThreadPoolServer.java:269) ~[hive-exec-3.1.0.3.1.0.0-78.jar:3.1.0.3.1.0.0-78]
        at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) ~[?:1.8.0_112]
        at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) ~[?:1.8.0_112]
        at java.lang.Thread.run(Thread.java:745) [?:1.8.0_112] Caused by: javax.security.sasl.AuthenticationException: Error validating LDAP user
        at org.apache.hive.service.auth.ldap.LdapSearchFactory.getInstance(LdapSearchFactory.java:48) ~[hive-service-3.1.0.3.1.0.0-78.jar:3.1.0.3.1.0.0-78]
        at org.apache.hive.service.auth.LdapAuthenticationProviderImpl.createDirSearch(LdapAuthenticationProviderImpl.java:92) ~[hive-service-3.1.0.3.1.0.0-78.jar:3.1.0.3.1.0.0-78]
        at org.apache.hive.service.auth.LdapAuthenticationProviderImpl.Authenticate(LdapAuthenticationProviderImpl.java:72) ~[hive-service-3.1.0.3.1.0.0-78.jar:3.1.0.3.1.0.0-78]
        at org.apache.hive.service.auth.PlainSaslHelper$PlainServerCallbackHandler.handle(PlainSaslHelper.java:107) ~[hive-service-3.1.0.3.1.0.0-78.jar:3.1.0.3.1.0.0-78]
        at org.apache.hive.service.auth.PlainSaslServer.evaluateResponse(PlainSaslServer.java:103) ~[hive-service-3.1.0.3.1.0.0-78.jar:3.1.0.3.1.0.0-78]
        ... 8 more Caused by: javax.naming.InvalidNameException: Invalid name: node:port
        at javax.naming.ldap.Rfc2253Parser.doParse(Rfc2253Parser.java:111) ~[?:1.8.0_112]
        at javax.naming.ldap.Rfc2253Parser.parseDn(Rfc2253Parser.java:70) ~[?:1.8.0_112]
        at javax.naming.ldap.LdapName.parse(LdapName.java:785) ~[?:1.8.0_112]
        at javax.naming.ldap.LdapName.<init>(LdapName.java:123) ~[?:1.8.0_112]
        at com.sun.jndi.ldap.ServiceLocator.mapDnToDomainName(ServiceLocator.java:72) ~[?:1.8.0_112]
        at com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:175) ~[?:1.8.0_112]
        at com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(LdapCtxFactory.java:210) ~[?:1.8.0_112]
        at com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(LdapCtxFactory.java:153) ~[?:1.8.0_112]
        at com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactory.java:83) ~[?:1.8.0_112]
        at javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:684) ~[?:1.8.0_112]
        at javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:313) ~[?:1.8.0_112]
        at javax.naming.InitialContext.init(InitialContext.java:244) ~[?:1.8.0_112]
        at javax.naming.InitialContext.<init>(InitialContext.java:216) ~[?:1.8.0_112]
        at javax.naming.directory.InitialDirContext.<init>(InitialDirContext.java:101) ~[?:1.8.0_112]
        at org.apache.hive.service.auth.ldap.LdapSearchFactory.createDirContext(LdapSearchFactory.java:62) ~[hive-service-3.1.0.3.1.0.0-78.jar:3.1.0.3.1.0.0-78]
        at org.apache.hive.service.auth.ldap.LdapSearchFactory.getInstance(LdapSearchFactory.java:44) ~[hive-service-3.1.0.3.1.0.0-78.jar:3.1.0.3.1.0.0-78]
        at org.apache.hive.service.auth.LdapAuthenticationProviderImpl.createDirSearch(LdapAuthenticationProviderImpl.java:92) ~[hive-service-3.1.0.3.1.0.0-78.jar:3.1.0.3.1.0.0-78]
        at org.apache.hive.service.auth.LdapAuthenticationProviderImpl.Authenticate(LdapAuthenticationProviderImpl.java:72) ~[hive-service-3.1.0.3.1.0.0-78.jar:3.1.0.3.1.0.0-78]
        at org.apache.hive.service.auth.PlainSaslHelper$PlainServerCallbackHandler.handle(PlainSaslHelper.java:107) ~[hive-service-3.1.0.3.1.0.0-78.jar:3.1.0.3.1.0.0-78]
        at org.apache.hive.service.auth.PlainSaslServer.evaluateResponse(PlainSaslServer.java:103) ~[hive-service-3.1.0.3.1.0.0-78.jar:3.1.0.3.1.0.0-78]
        ... 8 more 2020-06-24T07:04:49,063 ERROR [HiveServer2-Handler-Pool: Thread-60]: server.TThreadPoolServer (:())
- Error occurred during processing of message. java.lang.RuntimeException: org.apache.thrift.transport.TTransportException: Error validating the login
        at org.apache.thrift.transport.TSaslServerTransport$Factory.getTransport(TSaslServerTransport.java:219) ~[hive-exec-3.1.0.3.1.0.0-78.jar:3.1.0.3.1.0.0-78]
        at org.apache.thrift.server.TThreadPoolServer$WorkerProcess.run(TThreadPoolServer.java:269) ~[hive-exec-3.1.0.3.1.0.0-78.jar:3.1.0.3.1.0.0-78]
        at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) ~[?:1.8.0_112]
        at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) ~[?:1.8.0_112]
        at java.lang.Thread.run(Thread.java:745) [?:1.8.0_112] Caused by: org.apache.thrift.transport.TTransportException: Error validating the login
        at org.apache.thrift.transport.TSaslTransport.sendAndThrowMessage(TSaslTransport.java:232) ~[hive-exec-3.1.0.3.1.0.0-78.jar:3.1.0.3.1.0.0-78]
        at org.apache.thrift.transport.TSaslTransport.open(TSaslTransport.java:316) ~[hive-exec-3.1.0.3.1.0.0-78.jar:3.1.0.3.1.0.0-78]
        at org.apache.thrift.transport.TSaslServerTransport.open(TSaslServerTransport.java:41) ~[hive-exec-3.1.0.3.1.0.0-78.jar:3.1.0.3.1.0.0-78]
        at org.apache.thrift.transport.TSaslServerTransport$Factory.getTransport(TSaslServerTransport.java:216) ~[hive-exec-3.1.0.3.1.0.0-78.jar:3.1.0.3.1.0.0-78]

 

 

 

 When running the beeline command

 

 

 

SLF4J: Class path contains multiple SLF4J bindings. 

SLF4J: Found binding in [jar:file:/usr/hdp/3.1.0.0-78/hive/lib/log4j-slf4j-impl-2.10.0.jar!/org/slf4j/impl/StaticLoggerBinder.class] 

SLF4J: Found binding in [jar:file:/usr/hdp/3.1.0.0-78/hadoop/lib/slf4j-log4j12-1.7.25.jar!/org/slf4j/impl/StaticLoggerBinder.class] 

SLF4J: See http://www.slf4j.org/codes.html#multiple_bindings for an explanation. 

SLF4J: Actual binding is of type [org.apache.logging.slf4j.Log4jLoggerFactory] 

Connecting to jdbc:hive2://sgdcdlk25.xxx.loc:2181,sgdcdlk26.xxx.loc:2181,sgdcdlk24.xxx.loc:2181/default;serviceDiscoveryMode=zooKeeper;zooKeeperNamespace=hiveserver2 

Enter username for jdbc:hive2://sgdcdlk25.x.loc:2181,sgdcdlk26.xxx.loc:2181,sgdcdlk24.xxx.loc:2181/default: castelainf 

Enter password for jdbc:hive2://sgdcdlk25.xxx.loc:2181,sgdcdlk26.xxx.loc:2181,sgdcdlk24.xxx.loc:2181/default: ****************** 

20/06/24 08:08:10 [main]: WARN jdbc.HiveConnection: Failed to connect to sgdcdlk26.xxx.loc:10000 

20/06/24 08:08:10 [main]: ERROR jdbc.Utils: Unable to read HiveServer2 configs from ZooKeeper 

Unknown HS2 problem when communicating with Thrift server. 

Error: Could not open client transport for any of the Server URI's in ZooKeeper: Peer indicated failure: Error validating the login (state=08S01,code=0) 

Beeline version 3.1.0.3.1.0.0-78 by Apache Hive 

beeline>
1,590 Views
0 Kudos
1 ACCEPTED SOLUTION

avatar
author-rank florianc
Explorer

Created ‎07-07-2020 12:42 AM

The error was on LDAP url.

 

I put ldap://host:port

 

But it should be : ldaps://host

View solution in original post

1,534 Views
0 Kudos
1 REPLY 1

avatar
author-rank florianc
Explorer

Created ‎07-07-2020 12:42 AM

The error was on LDAP url.

 

I put ldap://host:port

 

But it should be : ldaps://host

1,535 Views
0 Kudos
webinar banner
Announcements
Product Announcements
[ANNOUNCE] Cloudera on Public Cloud Runtime 7.2.18 is GA!
What's New @ Cloudera
Cloudera Operational Database (COD) supports enhancements to...
Community Announcements
March 2024 Community Highlights
Community Announcements
Celebrating 100,000 Members: A Journey of Growth and Connect...
Product Announcements
[ANNOUNCE] New Cloudera JDBC Connector for Apache Hive 2.6.2...
View More Announcements
meetups banner