xxzhky opened a new issue, #5137:
URL: https://github.com/apache/gravitino/issues/5137
### Version
0.6.0
### Describe what's wrong
<meta charset="utf-8"><div data-page-id="NTGKdrzL9o9Sy4x6kQxcsHxen9b"
data-lark-html-role="root" data-docx-has-block-data="true"><h1 class="heading-1
ace-line old-record-id-E6ZHd0vjXoH7OLxLU2Pcu68hn4b">Gravitino catalog
config</h1><div class="ace-line ace-line
old-record-id-LhXddrUdToWyCRxRaiccKvuunQh">Properties</div><div
data-type="sheet" class="
old-record-id-S1e0dhWIGochINxyLf0chwMUn2c"><!--StartFragment--><meta
http-equiv="Content-Type" content="text/html; charset=utf-8"><style><!--br
{mso-data-placement:same-cell;}--> td {white-space:nowrap;border:1px solid
#dee0e3;font-size:10pt;font-style:normal;font-weight:normal;vertical-align:middle;word-break:normal;word-wrap:normal;}</style><byte-sheet-html-origin
data-id="" data-version="4" data-is-embed="true" data-grid-line-hidden="false"
data-copy-type="col">
Key | Value
-- | --
gravitino.bypass.hive.metastore.client.capability.check | FALSE
metastore.uris |
thrift://ecs-dev-66-133-flink.msxf.host:9089,thrift://ecs-dev-66-100-flink.msxf.host:9089
kerberos.principal | hive/[email protected]
gravitino.bypass.hive.metastore.kerberos.principal |
hive/[email protected]
kerberos.keytab-uri | file:///home/xdt/gravikey/hms4/hive.keytab
gravitino.bypass.hive.metastore.sasl.enabled | TRUE
gravitino.bypass.hadoop.security.authentication | kerberos
</byte-sheet-html-origin><!--EndFragment--></div><h1 class="heading-1
ace-line old-record-id-ZjWtdA1dlovqLQxkchAcHrnXnwh">Reason</h1><div
class="ace-line ace-line old-record-id-XgC1dBvQNoet6pxTQKeci9ftnRg">When
configuring the Iceberg catalog, attempting to use multiple Hive Metastore
instances to meet the production environment's high-availability (HA)
requirements results in the following error:</div><pre style="white-space:pre;"
class="ace-line ace-line old-record-id-KToYdfqXpoE1c7xIz8NczOHZnpc"><code
class="language-Plain Text" data-lark-language="Plain Text"
data-wrap="false"><div>transport.TSaslTransport: SASL negotiation failure
javax.security.sasl.SaslException: GSS initiate
failed</div></code></pre><div class="ace-line ace-line
old-record-id-AP9idgReyoWZMvxISvVc84HPnCd"><strong>Note:</strong></div><div
class="ace-line ace-line old-record-id-NDX1dzZZtoQwcaxC2YNcu2IIn6c">For the
relevant catalog configuration information, please refer to the table above.
Specifically:</div><ul start="1" class="list-bullet1"><li class="ace-line
ace-line old-record-id-WDezdEEmToWpNSx1AxkcTBMVnSe"
data-list="bullet"><div><code>metastore.uris</code> is configured with two
instances.</div></li><li class="ace-line ace-line
old-record-id-D6kTd5YgooUkHPxOYGwcZt5snOe"
data-list="bullet"><div><code>gravitino.bypass.hive.metastore.kerberos.principal</code>
is configured with two principals.</div></li></ul></div><span
data-lark-record-data="{"isCut":false,"rootId":"NTGKdrzL9o9Sy4x6kQxcsHxen9b","parentId":"NTGKdrzL9o9Sy4x6kQxcsHxen9b","blockIds":[355,357,358,359,366,368,370,3
71,372,373],"recordIds":["E6ZHd0vjXoH7OLxLU2Pcu68hn4b","LhXddrUdToWyCRxRaiccKvuunQh","S1e0dhWIGochINxyLf0chwMUn2c","ZjWtdA1dlovqLQxkchAcHrnXnwh","XgC1dBvQNoet6pxTQKeci9ftnRg","KToYdfqXpoE1c7xIz8NczOHZnpc","AP9idgReyoWZMvxISvVc84HPnCd","NDX1dzZZtoQwcaxC2YNcu2IIn6c","WDezdEEmToWpNSx1AxkcTBMVnSe","D6kTd5YgooUkHPxOYGwcZt5snOe"],"recordMap":{"E6ZHd0vjXoH7OLxLU2Pcu68hn4b":{"id":"E6ZHd0vjXoH7OLxLU2Pcu68hn4b","snapshot":{"comments":[],"hidden":false,"align":"","type":"heading1","parent_id":"NTGKdrzL9o9Sy4x6kQxcsHxen9b","locked":false,"author":"7397307892162002946","children":[],"text":{"initialAttributedTexts":{"text":{"0":"Gravitino
catalog config"},"attribs&qu
ot;:{"0":"*0+o"}},"apool":{"numToAttrib":{"0":["author","7397307892162002946"]},"nextNum":1}},"folded":false}},"LhXddrUdToWyCRxRaiccKvuunQh":{"id":"LhXddrUdToWyCRxRaiccKvuunQh","snapshot":{"align":"","comments":[],"children":[],"locked":false,"hidden":false,"author":"7397307892162002946","text":{"initialAttributedTexts":{"text":{"0":"Properties"},"attribs":{"0":"*0+a"}},"apool":{"numToAttrib":{"0":["author","7397307892162002946"]},"nextNum":1}},"folded":false,"type":"text","parent_id":"NTGKdrzL9o9Sy4x6kQxcsHxen9b"}},"S1e0dhWIGochINxyLf0chwMUn2c":{"id":"S1e0dhWIGochI
NxyLf0chwMUn2c","snapshot":{"type":"sheet","parent_id":"NTGKdrzL9o9Sy4x6kQxcsHxen9b","comments":[],"locked":false,"hidden":false,"author":"7397307892162002946","token":"VHYOsrmAihEYJNt7hcScVuJinbc_sIeVJY"}},"ZjWtdA1dlovqLQxkchAcHrnXnwh":{"id":"ZjWtdA1dlovqLQxkchAcHrnXnwh","snapshot":{"type":"heading1","parent_id":"NTGKdrzL9o9Sy4x6kQxcsHxen9b","folded":false,"comments":[],"locked":false,"hidden":false,"author":"7397307892162002946","children":[],"text":{"initialAttributedTexts":{"text":{"0":"Reason"},"attribs":{"0":"*0+6"}},"apool":{"numToAttrib":{"0":["author","7397307892162002946"]},&
quot;nextNum":1}},"align":""}},"XgC1dBvQNoet6pxTQKeci9ftnRg":{"id":"XgC1dBvQNoet6pxTQKeci9ftnRg","snapshot":{"children":[],"align":"","folded":false,"hidden":false,"author":"7397307892162002946","text":{"initialAttributedTexts":{"text":{"0":"When
configuring the Iceberg catalog, attempting to use multiple Hive Metastore
instances to meet the production environment's high-availability (HA)
requirements results in the following
error:"},"attribs":{"0":"*0+5e"}},"apool":{"numToAttrib":{"0":["author","7397307892162002946"]},"nextNum":1}},"type":"text","parent_id":"NTGKdrzL9o9Sy4x6kQxcsHxen9b","comments":[],"locked":false}},"KToYdfqXpoE1c7xIz8NczOHZnpc&q
uot;:{"id":"KToYdfqXpoE1c7xIz8NczOHZnpc","snapshot":{"text":{"initialAttributedTexts":{"text":{"0":"transport.TSaslTransport:
SASL negotiation failure\njavax.security.sasl.SaslException: GSS initiate
failed"},"attribs":{"0":"*0|1+1f*0+1i"}},"apool":{"numToAttrib":{"0":["author","7397307892162002946"]},"nextNum":1}},"align":"","wrap":false,"parent_id":"NTGKdrzL9o9Sy4x6kQxcsHxen9b","author":"7397307892162002946","locked":false,"hidden":false,"children":[],"language":"Plain
Text","type":"code","comments":[]}},"AP9idgReyoWZMvxISvVc84HPnCd":{"id":"AP9idgReyoWZMvxISvVc84HPnCd","snapshot":{"comments":[],"hidden":fals
e,"author":"7397307892162002946","children":[],"align":"","type":"text","parent_id":"NTGKdrzL9o9Sy4x6kQxcsHxen9b","folded":false,"locked":false,"text":{"initialAttributedTexts":{"text":{"0":"Note:"},"attribs":{"0":"*0*1+5"}},"apool":{"numToAttrib":{"0":["author","7397307892162002946"],"1":["bold","true"]},"nextNum":2}}}},"NDX1dzZZtoQwcaxC2YNcu2IIn6c":{"id":"NDX1dzZZtoQwcaxC2YNcu2IIn6c","snapshot":{"author":"7397307892162002946","children":[],"align":"","folded":false,"type":"text","parent_id":"NTGKdrzL9o9Sy4x6kQxcsHxen9b","comments":[],"locked":false,
"hidden":false,"text":{"initialAttributedTexts":{"text":{"0":"For
the relevant catalog configuration information, please refer to the table
above.
Specifically:"},"attribs":{"0":"*0+2q"}},"apool":{"numToAttrib":{"0":["author","7397307892162002946"]},"nextNum":1}}}},"WDezdEEmToWpNSx1AxkcTBMVnSe":{"id":"WDezdEEmToWpNSx1AxkcTBMVnSe","snapshot":{"hidden":false,"folded":false,"type":"bullet","locked":false,"children":[],"text":{"initialAttributedTexts":{"text":{"0":"metastore.uris
is configured with two
instances."},"attribs":{"0":"*0*1+e*0+y"}},"apool":{"numToAttrib":{"0":["author","7397307892162002946"],"1&q
uot;:["inlineCode","true"]},"nextNum":2}},"align":"","parent_id":"NTGKdrzL9o9Sy4x6kQxcsHxen9b","comments":[],"author":"7397307892162002946"}},"D6kTd5YgooUkHPxOYGwcZt5snOe":{"id":"D6kTd5YgooUkHPxOYGwcZt5snOe","snapshot":{"author":"7397307892162002946","text":{"initialAttributedTexts":{"text":{"0":"gravitino.bypass.hive.metastore.kerberos.principal
is configured with two
principals."},"attribs":{"0":"*0*1+1e*0+z"}},"apool":{"numToAttrib":{"0":["author","7397307892162002946"],"1":["inlineCode","true"]},"nextNum":2}},"align":"","folded":false,"locked":false,"hidden":false,"comments":[],"children&quo
t;:[],"type":"bullet","parent_id":"NTGKdrzL9o9Sy4x6kQxcsHxen9b"}},"NTGKdrzL9o9Sy4x6kQxcsHxen9b":{"id":"NTGKdrzL9o9Sy4x6kQxcsHxen9b","snapshot":{"revisions":null,"children":["E6ZHd0vjXoH7OLxLU2Pcu68hn4b","LhXddrUdToWyCRxRaiccKvuunQh","S1e0dhWIGochINxyLf0chwMUn2c","ZjWtdA1dlovqLQxkchAcHrnXnwh","XgC1dBvQNoet6pxTQKeci9ftnRg","KToYdfqXpoE1c7xIz8NczOHZnpc","AP9idgReyoWZMvxISvVc84HPnCd","NDX1dzZZtoQwcaxC2YNcu2IIn6c","WDezdEEmToWpNSx1AxkcTBMVnSe","D6kTd5YgooUkHPxOYGwcZt5snOe","SATXdKUK8or3OYxGjQ2c8nCjnNd","XK8JdHtOpodwANx0D46cIoeMnte","HW4Ed2NoZop1C2xyoKzcfhaXnue","V9lTdN97Lon3H0xav97czpgkn8d","RkCEdRE92ojzJjxXNoWcEFKznog"],"text":{"apool":{"nextNum":1,"numToAttrib":{"0":["author","
;7397307892162002946"]}},"initialAttributedTexts":{"attribs":{"0":"*0+q"},"text":{"0":"HMS
HA Feature
unsupported"}}},"align":"","type":"page","parent_id":"","comments":null,"locked":false,"hidden":false,"author":"7397307892162002946","doc_info":{"option_modified":null,"editors":["7397307892162002946"],"options":["editors","edit_time"],"deleted_editors":null}}}},"payloadMap":{"LhXddrUdToWyCRxRaiccKvuunQh":{"level":1},"XgC1dBvQNoet6pxTQKeci9ftnRg":{"level":1},"AP9idgReyoWZMvxISvVc84HPnCd":{"level":1},"NDX1dzZZtoQwcaxC2YNcu2IIn6c":{"level":1},"lingoClipboardPayload":{"spaceSubExtraInfo":[{"spaceSubId":"
;XgC1dBvQNoet6pxTQKeci9ftnRg","word":"HA"}],"spaceId":"NTGKdrzL9o9Sy4x6kQxcsHxen9b","spaceType":1}},"extra":{"channel":"saas","pasteRandomId":"1c46b7e5-d136-47a7-b364-0a432b16b824","mention_page_title":{},"external_mention_url":{}},"isKeepQuoteContainer":false,"selection":[{"id":355,"type":"text","selection":{"start":0,"end":24},"recordId":"E6ZHd0vjXoH7OLxLU2Pcu68hn4b"},{"id":357,"type":"text","selection":{"start":0,"end":10},"recordId":"LhXddrUdToWyCRxRaiccKvuunQh"},{"id":358,"type":"block","recordId":"S1e0dhWIGochINxyLf0chwMUn2c"},{"id":359,"type":"text","selection":{"start":0,"
end":6},"recordId":"ZjWtdA1dlovqLQxkchAcHrnXnwh"},{"id":366,"type":"text","selection":{"start":0,"end":194},"recordId":"XgC1dBvQNoet6pxTQKeci9ftnRg"},{"id":368,"type":"block","recordId":"KToYdfqXpoE1c7xIz8NczOHZnpc"},{"id":370,"type":"text","selection":{"start":0,"end":5},"recordId":"AP9idgReyoWZMvxISvVc84HPnCd"},{"id":371,"type":"text","selection":{"start":0,"end":98},"recordId":"NDX1dzZZtoQwcaxC2YNcu2IIn6c"},{"id":372,"type":"text","selection":{"start":0,"end":48},"recordId":"WDezdEEmToWpNSx1AxkcTBMVnSe"},{"id":373,"type":"text","selection":{"start&
quot;:0,"end":85},"recordId":"D6kTd5YgooUkHPxOYGwcZt5snOe"}],"pasteFlag":"648c8cf3-ea73-49af-b698-bc2a6dea50b7"}"
data-lark-record-format="docx/record" class="lark-record-clipboard"></span>
### Error message and/or stacktrace
2024-10-12T10:52:10,393 ERROR [Metastore-Handler-Pool: Thread-63]
transport.TSaslTransport: SASL negotiation failure
javax.security.sasl.SaslException: GSS initiate failed
at
com.sun.security.sasl.gsskerb.GssKrb5Server.evaluateResponse(GssKrb5Server.java:199)
~[?:1.8.0_232]
at
org.apache.thrift.transport.TSaslTransport$SaslParticipant.evaluateChallengeOrResponse(TSaslTransport.java:507)
~[hive-exec-4.0.0.jar:4.0.0]
at
org.apache.thrift.transport.TSaslTransport.open(TSaslTransport.java:250)
~[hive-exec-4.0.0.jar:4.0.0]
at
org.apache.thrift.transport.TSaslServerTransport.open(TSaslServerTransport.java:44)
~[hive-exec-4.0.0.jar:4.0.0]
at
org.apache.thrift.transport.TSaslServerTransport$Factory.getTransport(TSaslServerTransport.java:199)
~[hive-exec-4.0.0.jar:4.0.0]
at
org.apache.hadoop.hive.metastore.security.HadoopThriftAuthBridge$Server$TUGIAssumingTransportFactory$1.run(HadoopThriftAuthBridge.java:711)
~[hive-exec-4.0.0.jar:4.0.0]
at
org.apache.hadoop.hive.metastore.security.HadoopThriftAuthBridge$Server$TUGIAssumingTransportFactory$1.run(HadoopThriftAuthBridge.java:707)
~[hive-exec-4.0.0.jar:4.0.0]
at java.security.AccessController.doPrivileged(Native Method)
~[?:1.8.0_232]
at javax.security.auth.Subject.doAs(Subject.java:360) ~[?:1.8.0_232]
at
org.apache.hadoop.security.UserGroupInformation.doAs(UserGroupInformation.java:1855)
~[hadoop-common-3.3.4.jar:?]
at
org.apache.hadoop.hive.metastore.security.HadoopThriftAuthBridge$Server$TUGIAssumingTransportFactory.getTransport(HadoopThriftAuthBridge.java:707)
~[hive-exec-4.0.0.jar:4.0.0]
at
org.apache.thrift.server.TThreadPoolServer$WorkerProcess.run(TThreadPoolServer.java:227)
~[hive-exec-4.0.0.jar:4.0.0]
at
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
~[?:1.8.0_232]
at
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
~[?:1.8.0_232]
at java.lang.Thread.run(Thread.java:748) ~[?:1.8.0_232]
Caused by: org.ietf.jgss.GSSException: Failure unspecified at GSS-API level
(Mechanism level: Checksum failed)
at
sun.security.jgss.krb5.Krb5Context.acceptSecContext(Krb5Context.java:858)
~[?:1.8.0_232]
at
sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:342)
~[?:1.8.0_232]
at
sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:285)
~[?:1.8.0_232]
at
com.sun.security.sasl.gsskerb.GssKrb5Server.evaluateResponse(GssKrb5Server.java:167)
~[?:1.8.0_232]
... 14 more
Caused by: sun.security.krb5.KrbCryptoException: Checksum failed
at
sun.security.krb5.internal.crypto.Aes128CtsHmacSha1EType.decrypt(Aes128CtsHmacSha1EType.java:102)
~[?:1.8.0_232]
at
sun.security.krb5.internal.crypto.Aes128CtsHmacSha1EType.decrypt(Aes128CtsHmacSha1EType.java:94)
~[?:1.8.0_232]
at sun.security.krb5.EncryptedData.decrypt(EncryptedData.java:175)
~[?:1.8.0_232]
at sun.security.krb5.KrbApReq.authenticate(KrbApReq.java:281)
~[?:1.8.0_232]
at sun.security.krb5.KrbApReq.<init>(KrbApReq.java:149)
~[?:1.8.0_232]
at
sun.security.jgss.krb5.InitSecContextToken.<init>(InitSecContextToken.java:108)
~[?:1.8.0_232]
at
sun.security.jgss.krb5.Krb5Context.acceptSecContext(Krb5Context.java:831)
~[?:1.8.0_232]
at
sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:342)
~[?:1.8.0_232]
at
sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:285)
~[?:1.8.0_232]
at
com.sun.security.sasl.gsskerb.GssKrb5Server.evaluateResponse(GssKrb5Server.java:167)
~[?:1.8.0_232]
... 14 more
Caused by: java.security.GeneralSecurityException: Checksum failed
at
sun.security.krb5.internal.crypto.dk.AesDkCrypto.decryptCTS(AesDkCrypto.java:451)
~[?:1.8.0_232]
at
sun.security.krb5.internal.crypto.dk.AesDkCrypto.decrypt(AesDkCrypto.java:272)
~[?:1.8.0_232]
at sun.security.krb5.internal.crypto.Aes128.decrypt(Aes128.java:76)
~[?:1.8.0_232]
at
sun.security.krb5.internal.crypto.Aes128CtsHmacSha1EType.decrypt(Aes128CtsHmacSha1EType.java:100)
~[?:1.8.0_232]
at
sun.security.krb5.internal.crypto.Aes128CtsHmacSha1EType.decrypt(Aes128CtsHmacSha1EType.java:94)
~[?:1.8.0_232]
at sun.security.krb5.EncryptedData.decrypt(EncryptedData.java:175)
~[?:1.8.0_232]
at sun.security.krb5.KrbApReq.authenticate(KrbApReq.java:281)
~[?:1.8.0_232]
at sun.security.krb5.KrbApReq.<init>(KrbApReq.java:149)
~[?:1.8.0_232]
at
sun.security.jgss.krb5.InitSecContextToken.<init>(InitSecContextToken.java:108)
~[?:1.8.0_232]
at
sun.security.jgss.krb5.Krb5Context.acceptSecContext(Krb5Context.java:831)
~[?:1.8.0_232]
at
sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:342)
~[?:1.8.0_232]
at
sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:285)
~[?:1.8.0_232]
at
com.sun.security.sasl.gsskerb.GssKrb5Server.evaluateResponse(GssKrb5Server.java:167)
~[?:1.8.0_232]
... 14 more
### How to reproduce
+ v0.6
Pls refer to the first part as discribed above
### Additional context
_No response_
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
