Changed hostname in connection string. Used FQDN:
beeline> !connect jdbc:hive2://sandbox.hortonworks.com:10000/default;principal=hive/sandbox.hortonworks.com@EXAMPLE.COM Connecting to jdbc:hive2://sandbox.hortonworks.com:10000/default;principal=hive/sandbox.hortonworks.com@EXAMPLE.COM Enter username for jdbc:hive2://sandbox.hortonworks.com:10000/default;principal=hive/sandbox.hortonworks.com@EXAMPLE.COM: Enter password for jdbc:hive2://sandbox.hortonworks.com:10000/default;principal=hive/sandbox.hortonworks.com@EXAMPLE.COM: 16/01/10 16:55:49 [main]: ERROR transport.TSaslTransport: SASL negotiation failure javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level: Failed to find any Kerberos tgt)]
Can not understand. Hiveserver2 log does not help there is the same as in beeline output.
I can re-init.
Is there any method to validate my tgt?
Its good for hdfs
[margusja@sandbox ~]$ hdfs dfs -ls / Found 9 items
A few things to double check:
1. Is there any message on the Hiveserver2 that correlates to the Beeline error?
2. Can you double check that you have the Unlimited Strength Key JCE Policy installed correctly and that alternatives is pointing at the copy of java that has this poilcy (I'm noticing that your KRB Ticket only supports AES256)
3. Set system property
true on your JVM and see if you can get any details from the debug logs.
You can use beeline to connect from an edge-node server to hiveserver2. Below is an example:
beeline -u "jdbc:hive2://127.0.0.1:10000/default;principal=hive/sandbox.hortonworks.com@EXAMPLE.COM;auth-kerberos" -n <user>
They key part of this example is the JDBC URL that has to be provided for Kerberos authentication to work correctly. Note the main sections of the JDBC URL. jdbc:hive2://127.0.0.1:10000/default principal=hive/sandbox.hortonworks.com@EXAMPLE.COM; auth=kerberos
The first part is a standard JDBC URL that provides information about the driver (hive2), the hostname (127.0.0.1), the port number (10000), and the default database (default).
The second part is special to Kerberos. It tells you what service principal is used to authenticate to this URL.
And the final step is to tell JDBC that you definitely want to do Kerberos authentication (auth=kerberos)
You'll also note that the commandline for beeline included a specification that I wanted to connect with a specific username (-n <user> ). This is required so that beeline knows what specific kerberos TGT to look for.
All of this assumes that when you login to the edge node server, you followed standard protocol to get a kerberos TGT. (The profile is setup so that you're automatically prompted again for your password. This establishes your TGT.)
I do not know is it solution here but one helpful think is to enable kerberos debug mode to see what kerberos wants:
It helped me
Hi Margus, I am facing similar issue and setting the debug flag is not helping me much. I tried all the various ways of login to beeline, with and without hive services tickets and also with different TGTs.
Following are some of my observations,
I can login to Hive CLI successfully
Ambari hive service check passed.
With a valid hive (or other) TGT, I am able to list the hdfs directories (hadoop fs -ls /).
Would you see any other check I might need to do here? Was your issue based on similar lines? Would you mind sharing the fix you made for the problem.
The issue with beeline access to hive when using Kerberos, is that we need to use the "right principal" in the connection string - and it MUST be hive's principal.
1. So you must explicitly do a kinit and grab a valid ticket from Kerberos. 2. After you have a valid ticket - you can use the following URL to connect using beeline: beeline -u "jdbc:hive2://<hive_server_name>:10000/<db_name>;principal=hive/<hostname>@<realm_name>
This will do the trick.
In the connection string below:
beeline -u "jdbc:hive2://rjk-hdp25-s-01:2181,rjk-hdp25-s-02:2181/;serviceDiscoveryMode=zooKeeper;zooKeeperNamespace=hiveserver2;principal=hive/rjk-hdp25-m-02@FIELD.HORTONWORKS.COM"
the principal hive/rjk-hdp25-m-02@FIELD.HORTONWORKS.COM is actually the one running the Hiveserver2
the user that you have just used to kinit'ed with yourself just before you fired the beeline command !!!
Then it works. It is very very confusing, so beware!
To survive a hiveserver2 HA failover, the syntax:
I solved this problem after adding this property to core-site.xml.
<configuration> <property> <name>hadoop.security.authentication</name> <value>kerberos</value> </property> </configuration>