Support Questions
Find answers, ask questions, and share your expertise
Announcements
Alert: Welcome to the Unified Cloudera Community. Former HCC members be sure to read and learn how to activate your account here.

hive HA ssl enabled access from knox not working

hive HA ssl enabled access from knox not working

New Contributor

Hi Team,

I'm trying to access hiveserver from beeline when both hiveserver is running then I'm able to connect but when I manually stop one server then it fails to connect. I was using HDP-2.3.4.0 as suggested in this blog by @Rishi https://community.hortonworks.com/questions/191091/knox-hive-ha-configuration-does-not-work-in-hdp-2... I upgraded my cluster to 2.5.6.2 I'm referring this steps for topology configuration https://docs.hortonworks.com/HDPDocuments/HDP2/HDP-2.6.4/bk_security/content/configure_knox_for_ha.h...

When I put service field blank it fails with target host is not defined error.

at java.lang.Thread.run(Thread.java:748) Caused by: org.apache.http.ProtocolException: Target host is not specified at org.apache.http.impl.conn.DefaultRoutePlanner.determineRoute(DefaultRoutePlanner.java:70) at org.apache.http.impl.client.InternalHttpClient.determineRoute(InternalHttpClient.java:124) at org.apache.http.impl.client.InternalHttpClient.doExecute(InternalHttpClient.java:183) ... 84 more

Configuation for Hive:

<provider>
    <role>ha</role>
    <name>HaProvider</name>
    <enabled>true</enabled>
    <param>
        <name>HIVE</name>
<value>maxFailoverAttempts=3;failoverSleep=1000;enabled=true;
zookeeperEnsemble=abcd:2181,
abce:2181,abcf:2181;zookeeperNamespace=hiveserver2</value>
</param>
</provider>
<service>
    <role>HIVE</role>
</service>

when I manually provide both Hiveserver2 urls it works

Example for Hive:

<provider>
    <role>ha</role>
    <name>HaProvider</name>
    <enabled>true</enabled>
    <param>
        <name>HIVE</name>
<value>maxFailoverAttempts=3;failoverSleep=1000;enabled=true;
zookeeperEnsemble=abcd:2181,
abce:2181,abcf:2181;zookeeperNamespace=hiveserver2</value>
</param>
</provider>
  <service>
  <role>HIVE</role>
<url>https://abcde:10001/cliservice</url>
<url>https://abcdef:10001/cliservice</url>
</service>

but the main issue is with when both hiveserver is running then I'm able to connect but when I manually stop one server then it fails to connect. it fails with below error :

Caused by: org.apache.shiro.subject.ExecutionException: java.security.PrivilegedActionException: java.io.IOException: Service connectivity error. at org.apache.shiro.subject.support.DelegatingSubject.execute(DelegatingSubject.java:385) at org.apache.hadoop.gateway.filter.ShiroSubjectIdentityAdapter.doFilter(ShiroSubjectIdentityAdapter.java:74) at org.apache.hadoop.gateway.GatewayFilter$Holder.doFilter(GatewayFilter.java:332) at org.apache.hadoop.gateway.GatewayFilter$Chain.doFilter(GatewayFilter.java:232) at org.apache.shiro.web.servlet.ProxiedFilterChain.doFilter(ProxiedFilterChain.java:61) at org.apache.shiro.web.servlet.AdviceFilter.executeChain(AdviceFilter.java:108) at org.apache.shiro.web.servlet.AdviceFilter.doFilterInternal(AdviceFilter.java:137) ... 46 more Caused by: java.security.PrivilegedActionException: java.io.IOException: Service connectivity error. at java.security.AccessController.doPrivileged(Native Method) at javax.security.auth.Subject.doAs(Subject.java:422) at org.apache.hadoop.gateway.filter.ShiroSubjectIdentityAdapter$CallableChain.call(ShiroSubjectIdentityAdapter.java:129) at org.apache.hadoop.gateway.filter.ShiroSubjectIdentityAdapter$CallableChain.call(ShiroSubjectIdentityAdapter.java:77) at org.apache.shiro.subject.support.SubjectCallable.doCall(SubjectCallable.java:90) at org.apache.shiro.subject.support.SubjectCallable.call(SubjectCallable.java:83) at org.apache.shiro.subject.support.DelegatingSubject.execute(DelegatingSubject.java:383) ... 52 more

I have already followed :

https://community.hortonworks.com/questions/191091/knox-hive-ha-configuration-does-not-work-in-hdp-2...

https://cwiki.apache.org/confluence/display/KNOX/Dynamic+HA+Provider+Configuration

https://gist.github.com/rajkrrsingh/e79c615d23562b606559ec65e5651e77

1 REPLY 1

Re: hive HA ssl enabled access from knox not working

New Contributor

@Arshadullah Khan

Even i have faced same issue Actually it doesn't work.

i think this is a bug. As we should connect to at least one hive server when HA is configured.

Bug is in Knox Gateway.