Support Questions
Find answers, ask questions, and share your expertise
Announcements
Alert: Welcome to the Unified Cloudera Community. Former HCC members be sure to read and learn how to activate your account here.

beeline and kerberos

Solved Go to solution
Highlighted

Re: beeline and kerberos

Rising Star

Changed hostname in connection string. Used FQDN:

beeline> !connect jdbc:hive2://sandbox.hortonworks.com:10000/default;principal=hive/sandbox.hortonworks.com@EXAMPLE.COM
Connecting to jdbc:hive2://sandbox.hortonworks.com:10000/default;principal=hive/sandbox.hortonworks.com@EXAMPLE.COM
Enter username for jdbc:hive2://sandbox.hortonworks.com:10000/default;principal=hive/sandbox.hortonworks.com@EXAMPLE.COM:
Enter password for jdbc:hive2://sandbox.hortonworks.com:10000/default;principal=hive/sandbox.hortonworks.com@EXAMPLE.COM:
16/01/10 16:55:49 [main]: ERROR transport.TSaslTransport: SASL negotiation failure
javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level: Failed to find any Kerberos tgt)]

Can not understand. Hiveserver2 log does not help there is the same as in beeline output.

I can re-init.

Is there any method to validate my tgt?

Its good for hdfs

[margusja@sandbox ~]$ hdfs dfs -ls /
Found 9 items

Re: beeline and kerberos

Contributor

A few things to double check:

1. Is there any message on the Hiveserver2 that correlates to the Beeline error?

2. Can you double check that you have the Unlimited Strength Key JCE Policy installed correctly and that alternatives is pointing at the copy of java that has this poilcy (I'm noticing that your KRB Ticket only supports AES256)

3. Set system property sun.security.krb5.debug to true on your JVM and see if you can get any details from the debug logs.

Highlighted

Re: beeline and kerberos

Explorer

You can use beeline to connect from an edge-node server to hiveserver2. Below is an example:

beeline -u "jdbc:hive2://127.0.0.1:10000/default;principal=hive/sandbox.hortonworks.com@EXAMPLE.COM;auth-kerberos" -n <user>

They key part of this example is the JDBC URL that has to be provided for Kerberos authentication to work correctly. Note the main sections of the JDBC URL. jdbc:hive2://127.0.0.1:10000/default principal=hive/sandbox.hortonworks.com@EXAMPLE.COM; auth=kerberos

The first part is a standard JDBC URL that provides information about the driver (hive2), the hostname (127.0.0.1), the port number (10000), and the default database (default).

The second part is special to Kerberos. It tells you what service principal is used to authenticate to this URL.

And the final step is to tell JDBC that you definitely want to do Kerberos authentication (auth=kerberos)

You'll also note that the commandline for beeline included a specification that I wanted to connect with a specific username (-n <user> ). This is required so that beeline knows what specific kerberos TGT to look for.

All of this assumes that when you login to the edge node server, you followed standard protocol to get a kerberos TGT. (The profile is setup so that you're automatically prompted again for your password. This establishes your TGT.)

Highlighted

Re: beeline and kerberos

Mentor

@Margus Roo are you still having issues with this? Can you accept best answer or provide your own solution?

Highlighted

Re: beeline and kerberos

Rising Star

I do not know is it solution here but one helpful think is to enable kerberos debug mode to see what kerberos wants:

export HADOOP_OPTS="-Dsun.security.krb5.debug=true"

It helped me

View solution in original post

Highlighted

Re: beeline and kerberos

New Contributor

Hi Margus, I am facing similar issue and setting the debug flag is not helping me much. I tried all the various ways of login to beeline, with and without hive services tickets and also with different TGTs.

Following are some of my observations,

I can login to Hive CLI successfully

Ambari hive service check passed.

With a valid hive (or other) TGT, I am able to list the hdfs directories (hadoop fs -ls /).

Would you see any other check I might need to do here? Was your issue based on similar lines? Would you mind sharing the fix you made for the problem.

Thanks,

Bala

Highlighted

Re: beeline and kerberos

Explorer

Did you resolve the problem?

I have the same issue, in the sandbox 2.4.

Highlighted

Re: beeline and kerberos

New Contributor

The issue with beeline access to hive when using Kerberos, is that we need to use the "right principal" in the connection string - and it MUST be hive's principal.

1. So you must explicitly do a kinit and grab a valid ticket from Kerberos. 2. After you have a valid ticket - you can use the following URL to connect using beeline: beeline -u "jdbc:hive2://<hive_server_name>:10000/<db_name>;principal=hive/<hostname>@<realm_name>

This will do the trick.

Highlighted

Re: beeline and kerberos

Super Collaborator

BEWARE !!

In the connection string below:

beeline -u "jdbc:hive2://rjk-hdp25-s-01:2181,rjk-hdp25-s-02:2181/;serviceDiscoveryMode=zooKeeper;zooKeeperNamespace=hiveserver2;principal=hive/rjk-hdp25-m-02@FIELD.HORTONWORKS.COM"

the principal hive/rjk-hdp25-m-02@FIELD.HORTONWORKS.COM is actually the one running the Hiveserver2

AND NOT

the user that you have just used to kinit'ed with yourself just before you fired the beeline command !!!

Then it works. It is very very confusing, so beware!

To survive a hiveserver2 HA failover, the syntax:

hive/_HOST@FIELD.HORTONWORKS.COM

also works

Highlighted

Re: beeline and kerberos

Explorer

I solved this problem after adding this property to core-site.xml.

<configuration>
    <property>
      <name>hadoop.security.authentication</name>
      <value>kerberos</value>
    </property>
</configuration>
Don't have an account?
Coming from Hortonworks? Activate your account here