[jira] [Created] (AMBARI-19642) Error during Alert: Unable to authenticate through LDAP for Hiveserver2 (also floods HS2 log with error messages)

Sumit Mohanty (JIRA) Thu, 19 Jan 2017 22:39:54 -0800

Sumit Mohanty created AMBARI-19642:
--------------------------------------

             Summary: Error during Alert: Unable to authenticate through LDAP 
for Hiveserver2 (also floods HS2 log with error messages)
                 Key: AMBARI-19642
                 URL: https://issues.apache.org/jira/browse/AMBARI-19642
             Project: Ambari
          Issue Type: Bug
          Components: stacks
    Affects Versions: 2.5.0
            Reporter: Sumit Mohanty
            Assignee: Sumit Mohanty
            Priority: Critical
             Fix For: 2.5.0



Ambari Alert can't authenticate through LDAP for HiveServer2 using the 
ambari-qa user because there's no where set the ambari-qa password.

javax.security.sasl.SaslException: Error validating the login [Caused by 
javax.security.sasl.AuthenticationException: Error validating LDAP user [Caused 
by javax.naming.Authentic 
ationException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C0903C8, 
comment: AcceptSecurityContext error, data 52e, v2580 
at 
org.apache.hive.service.auth.PlainSaslServer.evaluateResponse(PlainSaslServer.java:109)
 
at 
org.apache.thrift.transport.TSaslTransport$SaslParticipant.evaluateChallengeOrResponse(TSaslTransport.java:509)
 
at org.apache.thrift.transport.TSaslTransport.open(TSaslTransport.java:264) 
at 
org.apache.thrift.transport.TSaslServerTransport.open(TSaslServerTransport.java:41)
 
at 
org.apache.thrift.transport.TSaslServerTransport$Factory.getTransport(TSaslServerTransport.java:216)
 
at 
org.apache.thrift.server.TThreadPoolServer$WorkerProcess.run(TThreadPoolServer.java:189)
 
at 
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145) 
at 
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615) 
at java.lang.Thread.run(Thread.java:744) 
Caused by: javax.security.sasl.AuthenticationException: Error validating LDAP 
user [Caused by javax.naming.AuthenticationException: [LDAP: error code 49 - 
80090308: LdapErr: DSID 
-0C0903C8, comment: AcceptSecurityContext error, data 52e, v2580 
at 
org.apache.hive.service.auth.LdapAuthenticationProviderImpl.Authenticate(LdapAuthenticationProviderImpl.java:70)
 
at 
org.apache.hive.service.auth.PlainSaslHelper$PlainServerCallbackHandler.handle(PlainSaslHelper.java:106)
 
at 
org.apache.hive.service.auth.PlainSaslServer.evaluateResponse(PlainSaslServer.java:102)
 
... 8 more 
Caused by: javax.naming.AuthenticationException: [LDAP: error code 49 - 
80090308: LdapErr: DSID-0C0903C8, comment: AcceptSecurityContext error, data 
52e, v2580 
at com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:3087) 
at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:3033) 
at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2835) 
at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2749) 
at com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:316) 
at com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:193) 
at com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(LdapCtxFactory.java:211) 
at com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(LdapCtxFactory.java:154) 
at com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactory.java:84) 
at javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:684) 
at javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:307) 
at javax.naming.InitialContext.init(InitialContext.java:242) 
at javax.naming.InitialContext.<init>(InitialContext.java:216) 
at javax.naming.directory.InitialDirContext.<init>(InitialDirContext.java:101) 
at 
org.apache.hive.service.auth.LdapAuthenticationProviderImpl.Authenticate(LdapAuthenticationProviderImpl.java:67)
 
... 10 more 
2014-12-29 00:00:12,532 ERROR server.TThreadPoolServer 
(TThreadPoolServer.java:run(215)) - Error occurred during processing of 
message. 
java.lang.RuntimeException: org.apache.thrift.transport.TTransportException: 
Error validating the login 
at 
org.apache.thrift.transport.TSaslServerTransport$Factory.getTransport(TSaslServerTransport.java:219)
 
at 
org.apache.thrift.server.TThreadPoolServer$WorkerProcess.run(TThreadPoolServer.java:189)
 
at 
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145) 
at 
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615) 
at java.lang.Thread.run(Thread.java:744) 
Caused by: org.apache.thrift.transport.TTransportException: Error validating 
the login 
at 
org.apache.thrift.transport.TSaslTransport.sendAndThrowMessage(TSaslTransport.java:221)
 
at org.apache.thrift.transport.TSaslTransport.open(TSaslTransport.java:297) 
at 
org.apache.thrift.transport.TSaslServerTransport.open(TSaslServerTransport.java:41)
 
at 
org.apache.thrift.transport.TSaslServerTransport$Factory.getTransport(TSaslServerTransport.java:216)
 
... 4 more

**LDAP doesn't except blank passwords**


It is expected that ambari-qa user able to authenticate through LDAP for 
HiveServer2

ANALYSIS:

1) We found when hive.server2.authentication=LDAP, the HiveServer2 log will 
show the LDAP error once Alert is turned on. 

2) Alert uses check_tcp_wrapper_sasl!10000!LDAP!! 

3) When hive.server2.authentication=NONE, we don't get the Alert LDAP error for 
HiveServer2. 

or 

1) If we run "beeline" and !connect jdbc:hive2://<hiveserver2_server>:10000 -n 
ambari-qa", we will get the LDAP error too.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Created] (AMBARI-19642) Error during Alert: Unable to authenticate through LDAP for Hiveserver2 (also floods HS2 log with error messages)

Reply via email to