Support Questions

sriramhadoop27 · ‎11-14-2018

Hi,

In our environment, zeppelin worked fine when HS2 authentication is set to NONE.

But, when HS2 is integrated with AD, beeline ( used the same jdbc url in jdbc configuration ) works fine after AD integration but when user executes query via zeepelin notebook below issue is

observed:

****************************************************************

Could not open client transport for any of the Server URI's in ZooKeeper: Peer indicated failure: Error validating the login

****************************************************************

Here are the logs from Zookeeper and HS2.

Logs are attached in attachments section and jdbc properties are attached.

Zookeeper throws no noticeable error.

==> zookeeper.log <== 2018-11-14 14:06:07,705 - INFO [NIOServerCxn.Factory:0.0.0.0/0.0.0.0:2181:NIOServerCnxnFactory@197] - Accepted socket connection from /XXX.XX.X.XX:40246 2018-11-14 14:06:07,705 - INFO [NIOServerCxn.Factory:0.0.0.0/0.0.0.0:2181:NIOServerCnxn@827] - Processing ruok command from /XXX.XX.X.XX:40246 2018-11-14 14:06:07,709 - INFO [Thread-11787:NIOServerCnxn@1008] - Closed socket connection for client /XXX.XX.X.XX:40246 (no session established for client) 2018-11-14 14:07:07,720 - INFO [NIOServerCxn.Factory:0.0.0.0/0.0.0.0:2181:NIOServerCnxnFactory@197] - Accepted socket connection from /XXX.XX.X.XX:40360 2018-11-14 14:07:07,721 - INFO [NIOServerCxn.Factory:0.0.0.0/0.0.0.0:2181:NIOServerCnxn@827] - Processing ruok command from /XXX.XX.X.XX:40360 2018-11-14 14:07:07,732 - INFO [Thread-11788:NIOServerCnxn@1008] - Closed socket connection for client /XXX.XX.X.XX:40360 (no session established for client) 2018-11-14 14:08:07,648 - INFO [NIOServerCxn.Factory:0.0.0.0/0.0.0.0:2181:NIOServerCnxnFactory@197] - Accepted socket connection from /XXX.XX.X.XX:40490 2018-11-14 14:08:07,651 - INFO [NIOServerCxn.Factory:0.0.0.0/0.0.0.0:2181:NIOServerCnxn@827] - Processing ruok command from /XXX.XX.X.XX:40490 2018-11-14 14:08:07,652 - INFO [Thread-11789:NIOServerCnxn@1008] - Closed socket connection for client /XXX.XX.X.XX:40490 (no session established for client)

==> /var/log/hive/hiveserver2.log <== 2018-11-14 14:08:15,574 ERROR [HiveServer2-Handler-Pool: Thread-77]: transport.TSaslTransport (TSaslTransport.java:open(315)) - SASL negotiation failure javax.security.sasl.SaslException: Error validating the login [Caused by javax.security.sasl.AuthenticationException: LDAP Authentication failed for user [Caused by javax.naming.AuthenticationException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C090400, comment: AcceptSecurityContext error, data 52e, v1db1]]] at org.apache.hive.service.auth.PlainSaslServer.evaluateResponse(PlainSaslServer.java:109) at org.apache.thrift.transport.TSaslTransport$SaslParticipant.evaluateChallengeOrResponse(TSaslTransport.java:539) at org.apache.thrift.transport.TSaslTransport.open(TSaslTransport.java:283) at org.apache.thrift.transport.TSaslServerTransport.open(TSaslServerTransport.java:41) at org.apache.thrift.transport.TSaslServerTransport$Factory.getTransport(TSaslServerTransport.java:216) at org.apache.thrift.server.TThreadPoolServer$WorkerProcess.run(TThreadPoolServer.java:269) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)

Logs and jdbc properties are attached in attachments.

Thanks for your time.zeppelinissue.txt zeppelin-error1.jpg zeppelin-error2.jpg

falbani · ‎11-14-2018

@Sriram have you tried configuring as per:

https://community.hortonworks.com/articles/113228/how-to-enable-user-impersonation-for-jdbc-interpre...

Please test the above and let me know if that works for you.

HTH

View solution in original post

jsensharma · ‎11-14-2018

@Sriram

As we see the error code as "[LDAP: error code 49 - 80090308: LdapErr: DSID-0C090400, comment: AcceptSecurityContext error, data 52e, v1db1]]]"

[LDAP: error code 49 - 80090308: LdapErr: DSID-0C090400, comment: AcceptSecurityContext error, data 52e, v1db1]]]

.

52e

Invalid credentials

Returned when a valid username is supplied but an invalid password/credential is supplied. If this error is received, it will prevent most other errors from being displayed.

.

So please check your LDAP credentials if it is valid. Try running simple "ldapsearch" command to verify if the credentials which you are using is correct or not? some simple example can be :

# ldapsearch -x -b "dc=example,dc=com" -D cn=Manager,dc=example,dc=com -w ldapPassword -h ldapHost

.

sriramhadoop27 · ‎11-14-2018

@Jay Kumar,

Many thanks for your time.

i) Here, when HS2 is integrated with AD only below properties are added in hive:

a) Domain Name

b) LDAP URL.

--> Checked connectivity via beeline and it worked ( given Username and password is accepted )

Issue is only when running a simple query in zeppelin notebook.

When I execute a notebook ( same user name and password is used to log in to zeppelin ) I got the error

Notebook entry is:

%jdbc(hive)

show databases

In one line:

*************************

HS2 integration with AD verification is successful when verified against beeline command manually; but via zeppelin jdbc(hive) interpreter it is not working.

************************

Please let me know in case of any question.

sriramhadoop27 · ‎11-14-2018

@spolavarapu @Felix Albani

Can you guys help me on this please.

falbani · ‎11-14-2018

@Sriram have you tried configuring as per:

https://community.hortonworks.com/articles/113228/how-to-enable-user-impersonation-for-jdbc-interpre...

Please test the above and let me know if that works for you.

HTH

sriramhadoop27 · ‎11-14-2018

@Felix, thanks a lot for your link. It worked.

Issue from my end is:

I used hive.user and hive.password in the settings and this is the root cause.

sriramhadoop27 · ‎11-14-2018

@Felix Albani...does every user need to change Credentials as mentioned in the provided weblink ??

Cloudera Community

Support Questions

zeppelin jdbc interpreter issue when HS2 is integrated with AD....beeline connectivity works fine.