Hi guys, I found an environment where ksu works. My issue seems to be related to some sssd configuration but still did not ended to solve this issue. Does it remind you of something regarding sssd configuration ? Thank you. ... View more

Thanks for your reply but still getting the issue with your settings. ... View more

Can you please be more precise on how to change that file ? ... View more

Here is my krb5.conf - for security purposes, I do not provide my environment real values but be sure that it matches EXAMPLE.COM and UNKNOWN_DOMAIN. includedir /etc/krb5.conf.d/ includedir /var/lib/sss/pubconf/krb5.include.d/ [libdefaults] default_realm = EXAMPLE.COM dns_lookup_realm = true dns_lookup_kdc = true rdns = false ticket_lifetime = 24h renew_lifetime = 7d forwardable = true udp_preference_limit = 0 default_ccache_name = /tmp/krb5cc_%{uid} [logging] default = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log kdc = FILE:/var/log/krb5kdc.log [realms] UNKNOWN_DOMAIN = { pkinit_anchors = FILE:/etc/ipa/ca.crt } EXAMPLE.COM = { admin_server = myadmin.server.com kdc = myadmin.server.com } [domain_realm] .unknown_domain = UNKNOWN_DOMAIN unknown_domain = UNKNOWN_DOMAIN ... View more

Hi Vrathod, Same error with Firefox 62.0.2 (64 bits) and SPNEGI enabled for my domain. NB: my localhost computer that tries to access Druid UI is Windows. May I have to install Kerberos and follow 1 to 3 instructions as well ? Regards ... View more

Hi @Saby SS, Have you tried this ? https://community.hortonworks.com/content/supportkb/191924/how-to-improve-performance-of-knox-request-per-sec.html ... View more

Hi @Ashokkumar R #2: here is documentation based on HDP 2.6.5: https://docs.hortonworks.com/HDPDocuments/HDP2/HDP-2.6.5/bk_security/content/configure_knox_for_ha.html Regards. ... View more

@Felix Albani is their a relation between the WebHcat server and Hive Server or Know server ? I still don't understand how these components are related to each other ? Thank you. ... View more

@Hernán Fernández do you have any other ideas, please ? ... View more

@Felix Albani any news regarding my last answer, please ? ... View more

@Hernán Fernández same thing. Here is the command I typed: curl -ivk --negotiate 'https://my_knox_hostname:9443/gateway/default/hive/?op=LISTSTATUS' ... View more

@Felix Albani 1 - I confirm these settings; just to let you know that hadoop.proxyuser.knox.hosts is not set as star "*" but with some hostnames. But I confirm my Knox hostname is there. 2 - For a personal purpose, I actually don't manage hive-site content with Ambari as I am using a particular software that have its own hive-site.xml. As I can see, webhcat settings are not written into this file so I've asked the software editor how I can handle this. 3 - How can I activate debug for HS2, please ? 4 - Can you please tell me more on how tu use this ? When I type this command on my Knox hostname, I have: $ tcpdump -A port 10011 tcpdump: WARNING: SIOCGIFADDR: nflog: No such device tcpdump: NFLOG link-layer type filtering not implemented Thank you. ... View more

@Hernán Fernández Here is result of bellow command: curl -ivk --negotiate -u myuser:mypasswd 'https://my_knox_hostname:9443/gateway/default/hive/?op=LISTSTATUS' * About to connect() to my_knox_hostname port 9443 (#0) * Trying XXX.XXX.XXX.XXX... * Connected to my_knox_hostname (XXX.XXX.XXX.XXX) port 9443 (#0) * Initializing NSS with certpath: sql:/etc/pki/nssdb * skipping SSL peer certificate verification * SSL connection using TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 * Server certificate: * * * > GET /gateway/default/hive/?op=LISTSTATUS HTTP/1.1 > User-Agent: curl/7.29.0 > Host: my_knox_hostname:9443 > Accept: */* > < HTTP/1.1 401 Unauthorized HTTP/1.1 401 Unauthorized < Date: Thu, 07 Jun 2018 14:41:27 GMT Date: Thu, 07 Jun 2018 14:41:27 GMT < WWW-Authenticate: BASIC realm="application" WWW-Authenticate: BASIC realm="application" < Content-Length: 0 Content-Length: 0 < Server: Jetty(9.2.15.v20160210) Server: Jetty(9.2.15.v20160210) < * Connection #0 to host my_knox_hostname left intact ... View more

@Hernán Fernández let me try this and I will come back to you. Thank you. ... View more

@Felix Albani I don't have any logs on my hive server. My guess is that connection passes Knox gateway but don't go through Hive that asks some credentials that the POST statement don't deliver. Here are my Knox gateway logs when trying to reach my Hive server with mentionned beeline: 2018-05-24 10:32:51,330 DEBUG hadoop.gateway (GatewayFilter.java:doFilter(116)) - Received request: POST /hive 2018-05-24 10:32:51,382 DEBUG hadoop.gateway (KnoxLdapRealm.java:getUserDn(718)) - Searching from dc=domain,dc=realm where (&(objectclass=posixAccount)(uid=myuser)) scope subtree 2018-05-24 10:32:51,387 INFO hadoop.gateway (KnoxLdapRealm.java:getUserDn(724)) - Computed userDn: uid=myuser,ou=Users,dc=domain,dc=realm using ldapSearch for principal: myuser 2018-05-24 10:32:51,441 INFO hadoop.gateway (AclsAuthorizationFilter.java:doFilter(85)) - Access Granted: true 2018-05-24 10:32:51,442 DEBUG hadoop.gateway (UrlRewriteProcessor.java:rewrite(164)) - Rewrote URL: https://my_knox_hostname:9443/gateway/default/hive, direction: IN via implicit rule: HIVE/hive/inbound to URL: http://my_http_hive_hostname:10011/cliservice 2018-05-24 10:32:51,443 DEBUG hadoop.gateway (DefaultDispatch.java:executeOutboundRequest(121)) - Dispatch request: POST http://my_http_hive_hostname:10011/cliservice?doAs=myuser 2018-05-24 10:32:51,461 DEBUG hadoop.gateway (DefaultDispatch.java:executeOutboundRequest(134)) - Dispatch response status: 401 2018-05-24 10:32:51,461 DEBUG hadoop.gateway (DefaultDispatch.java:getInboundResponseContentType(209)) - Inbound response entity content type not provided. 2018-05-24 10:32:51,471 DEBUG hadoop.gateway (GatewayFilter.java:doFilter(116)) - Received request: POST /hive 2018-05-24 10:32:51,472 INFO hadoop.gateway (AclsAuthorizationFilter.java:doFilter(85)) - Access Granted: true 2018-05-24 10:32:51,472 DEBUG hadoop.gateway (UrlRewriteProcessor.java:rewrite(164)) - Rewrote URL: https://my_knox_hostname:9443/gateway/default/hive, direction: IN via implicit rule: HIVE/hive/inbound to URL: http://my_http_hive_hostname:10011/cliservice 2018-05-24 10:32:51,473 DEBUG hadoop.gateway (DefaultDispatch.java:executeOutboundRequest(121)) - Dispatch request: POST http://my_http_hive_hostname:10011/cliservice?doAs=myuser 2018-05-24 10:32:51,488 DEBUG hadoop.gateway (DefaultDispatch.java:executeOutboundRequest(134)) - Dispatch response status: 401 2018-05-24 10:32:51,488 DEBUG hadoop.gateway (DefaultDispatch.java:getInboundResponseContentType(209)) - Inbound response entity content type not provided. 2018-05-24 10:32:51,524 DEBUG hadoop.gateway (GatewayFilter.java:doFilter(116)) - Received request: POST /hive 2018-05-24 10:32:51,575 DEBUG hadoop.gateway (KnoxLdapRealm.java:getUserDn(718)) - Searching from dc=domain,dc=realm where (&(objectclass=posixAccount)(uid=myuser)) scope subtree 2018-05-24 10:32:51,579 INFO hadoop.gateway (KnoxLdapRealm.java:getUserDn(724)) - Computed userDn: uid=myuser,ou=Users,dc=domain,dc=realm using ldapSearch for principal: myuser 2018-05-24 10:32:51,631 INFO hadoop.gateway (AclsAuthorizationFilter.java:doFilter(85)) - Access Granted: true 2018-05-24 10:32:51,632 DEBUG hadoop.gateway (UrlRewriteProcessor.java:rewrite(164)) - Rewrote URL: https://my_knox_hostname:9443/gateway/default/hive, direction: IN via implicit rule: HIVE/hive/inbound to URL: http://my_http_hive_hostname:10011/cliservice 2018-05-24 10:32:51,633 DEBUG hadoop.gateway (DefaultDispatch.java:executeOutboundRequest(121)) - Dispatch request: POST http://my_http_hive_hostname:10011/cliservice?doAs=myuser 2018-05-24 10:32:51,648 DEBUG hadoop.gateway (DefaultDispatch.java:executeOutboundRequest(134)) - Dispatch response status: 401 2018-05-24 10:32:51,649 DEBUG hadoop.gateway (DefaultDispatch.java:getInboundResponseContentType(209)) - Inbound response entity content type not provided. 2018-05-24 10:32:51,658 DEBUG hadoop.gateway (GatewayFilter.java:doFilter(116)) - Received request: POST /hive 2018-05-24 10:32:51,659 INFO hadoop.gateway (AclsAuthorizationFilter.java:doFilter(85)) - Access Granted: true 2018-05-24 10:32:51,660 DEBUG hadoop.gateway (UrlRewriteProcessor.java:rewrite(164)) - Rewrote URL: https://my_knox_hostname:9443/gateway/default/hive, direction: IN via implicit rule: HIVE/hive/inbound to URL: http://my_http_hive_hostname:10011/cliservice 2018-05-24 10:32:51,661 DEBUG hadoop.gateway (DefaultDispatch.java:executeOutboundRequest(121)) - Dispatch request: POST http://my_http_hive_hostname:10011/cliservice?doAs=myuser 2018-05-24 10:32:51,678 DEBUG hadoop.gateway (DefaultDispatch.java:executeOutboundRequest(134)) - Dispatch response status: 401 2018-05-24 10:32:51,678 DEBUG hadoop.gateway (DefaultDispatch.java:getInboundResponseContentType(209)) - Inbound response entity content type not provided. <br> ... View more

Thank you Felix Albani for your answer. I forgot to mention that I get 401 reponse error using a similar beeline: !connect jdbc:hive2://my_knox_hostname:9443/;ssl=true;transportMode=http;httpPath=gateway/default/hive;sslTrustStore=/etc/pki/ca-trust/extracted/java/cacerts;trustStorePassword=trust_passwd ... View more

Hi Shota, Have you fixed your problem ? I am currently facing same issue. Thx. ... View more

Hi everyone, I am facing same issue connecting to Hive HTTP through Knox. On Knox gateway logs, I have: access|uri|/gateway/default/hive/?op=LISTSTATUS|success|Response status: 401 @mliem: have you fixed your problem and if so, can you please tell me how ? FYI, connecting directly to Hive HTTP with beeline and same crendentials works fine. Regards. ... View more

@Constantin Stanca Thank you for your quick answer. As the server I work on is not planned to migrate to RHEL 6.x, can you confirm I can use the rpm version you provided for CentOS 5.x? I guess it is not optimal but is there some known issues using this version with 1.x Hive database? Thank you. ... View more