[ https://issues.apache.org/jira/browse/AMBARI-19642?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Sumit Mohanty updated AMBARI-19642: ----------------------------------- Description: Ambari Alert can't authenticate through LDAP for HiveServer2 using the ambari-qa user because there's no where set the ambari-qa password. {code} javax.security.sasl.SaslException: Error validating the login [Caused by javax.security.sasl.AuthenticationException: Error validating LDAP user [Caused by javax.naming.Authentic ationException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C0903C8, comment: AcceptSecurityContext error, data 52e, v2580 at org.apache.hive.service.auth.PlainSaslServer.evaluateResponse(PlainSaslServer.java:109) at org.apache.thrift.transport.TSaslTransport$SaslParticipant.evaluateChallengeOrResponse(TSaslTransport.java:509) at org.apache.thrift.transport.TSaslTransport.open(TSaslTransport.java:264) at org.apache.thrift.transport.TSaslServerTransport.open(TSaslServerTransport.java:41) at org.apache.thrift.transport.TSaslServerTransport$Factory.getTransport(TSaslServerTransport.java:216) at org.apache.thrift.server.TThreadPoolServer$WorkerProcess.run(TThreadPoolServer.java:189) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615) at java.lang.Thread.run(Thread.java:744) Caused by: javax.security.sasl.AuthenticationException: Error validating LDAP user [Caused by javax.naming.AuthenticationException: [LDAP: error code 49 - 80090308: LdapErr: DSID -0C0903C8, comment: AcceptSecurityContext error, data 52e, v2580 at org.apache.hive.service.auth.LdapAuthenticationProviderImpl.Authenticate(LdapAuthenticationProviderImpl.java:70) at org.apache.hive.service.auth.PlainSaslHelper$PlainServerCallbackHandler.handle(PlainSaslHelper.java:106) at org.apache.hive.service.auth.PlainSaslServer.evaluateResponse(PlainSaslServer.java:102) ... 8 more Caused by: javax.naming.AuthenticationException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C0903C8, comment: AcceptSecurityContext error, data 52e, v2580 at com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:3087) at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:3033) at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2835) at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2749) at com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:316) at com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:193) at com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(LdapCtxFactory.java:211) at com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(LdapCtxFactory.java:154) at com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactory.java:84) at javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:684) at javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:307) at javax.naming.InitialContext.init(InitialContext.java:242) at javax.naming.InitialContext.<init>(InitialContext.java:216) at javax.naming.directory.InitialDirContext.<init>(InitialDirContext.java:101) at org.apache.hive.service.auth.LdapAuthenticationProviderImpl.Authenticate(LdapAuthenticationProviderImpl.java:67) ... 10 more 2014-12-29 00:00:12,532 ERROR server.TThreadPoolServer (TThreadPoolServer.java:run(215)) - Error occurred during processing of message. java.lang.RuntimeException: org.apache.thrift.transport.TTransportException: Error validating the login at org.apache.thrift.transport.TSaslServerTransport$Factory.getTransport(TSaslServerTransport.java:219) at org.apache.thrift.server.TThreadPoolServer$WorkerProcess.run(TThreadPoolServer.java:189) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615) at java.lang.Thread.run(Thread.java:744) Caused by: org.apache.thrift.transport.TTransportException: Error validating the login at org.apache.thrift.transport.TSaslTransport.sendAndThrowMessage(TSaslTransport.java:221) at org.apache.thrift.transport.TSaslTransport.open(TSaslTransport.java:297) at org.apache.thrift.transport.TSaslServerTransport.open(TSaslServerTransport.java:41) at org.apache.thrift.transport.TSaslServerTransport$Factory.getTransport(TSaslServerTransport.java:216) ... 4 more {code} **LDAP doesn't except blank passwords** It is expected that ambari-qa user able to authenticate through LDAP for HiveServer2 ANALYSIS: 1) We found when hive.server2.authentication=LDAP, the HiveServer2 log will show the LDAP error once Alert is turned on. 2) Alert uses check_tcp_wrapper_sasl!10000!LDAP!! 3) When hive.server2.authentication=NONE, we don't get the Alert LDAP error for HiveServer2. or 1) If we run "beeline" and !connect jdbc:hive2://<hiveserver2_server>:10000 -n ambari-qa", we will get the LDAP error too. was: Ambari Alert can't authenticate through LDAP for HiveServer2 using the ambari-qa user because there's no where set the ambari-qa password. javax.security.sasl.SaslException: Error validating the login [Caused by javax.security.sasl.AuthenticationException: Error validating LDAP user [Caused by javax.naming.Authentic ationException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C0903C8, comment: AcceptSecurityContext error, data 52e, v2580 at org.apache.hive.service.auth.PlainSaslServer.evaluateResponse(PlainSaslServer.java:109) at org.apache.thrift.transport.TSaslTransport$SaslParticipant.evaluateChallengeOrResponse(TSaslTransport.java:509) at org.apache.thrift.transport.TSaslTransport.open(TSaslTransport.java:264) at org.apache.thrift.transport.TSaslServerTransport.open(TSaslServerTransport.java:41) at org.apache.thrift.transport.TSaslServerTransport$Factory.getTransport(TSaslServerTransport.java:216) at org.apache.thrift.server.TThreadPoolServer$WorkerProcess.run(TThreadPoolServer.java:189) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615) at java.lang.Thread.run(Thread.java:744) Caused by: javax.security.sasl.AuthenticationException: Error validating LDAP user [Caused by javax.naming.AuthenticationException: [LDAP: error code 49 - 80090308: LdapErr: DSID -0C0903C8, comment: AcceptSecurityContext error, data 52e, v2580 at org.apache.hive.service.auth.LdapAuthenticationProviderImpl.Authenticate(LdapAuthenticationProviderImpl.java:70) at org.apache.hive.service.auth.PlainSaslHelper$PlainServerCallbackHandler.handle(PlainSaslHelper.java:106) at org.apache.hive.service.auth.PlainSaslServer.evaluateResponse(PlainSaslServer.java:102) ... 8 more Caused by: javax.naming.AuthenticationException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C0903C8, comment: AcceptSecurityContext error, data 52e, v2580 at com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:3087) at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:3033) at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2835) at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2749) at com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:316) at com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:193) at com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(LdapCtxFactory.java:211) at com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(LdapCtxFactory.java:154) at com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactory.java:84) at javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:684) at javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:307) at javax.naming.InitialContext.init(InitialContext.java:242) at javax.naming.InitialContext.<init>(InitialContext.java:216) at javax.naming.directory.InitialDirContext.<init>(InitialDirContext.java:101) at org.apache.hive.service.auth.LdapAuthenticationProviderImpl.Authenticate(LdapAuthenticationProviderImpl.java:67) ... 10 more 2014-12-29 00:00:12,532 ERROR server.TThreadPoolServer (TThreadPoolServer.java:run(215)) - Error occurred during processing of message. java.lang.RuntimeException: org.apache.thrift.transport.TTransportException: Error validating the login at org.apache.thrift.transport.TSaslServerTransport$Factory.getTransport(TSaslServerTransport.java:219) at org.apache.thrift.server.TThreadPoolServer$WorkerProcess.run(TThreadPoolServer.java:189) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615) at java.lang.Thread.run(Thread.java:744) Caused by: org.apache.thrift.transport.TTransportException: Error validating the login at org.apache.thrift.transport.TSaslTransport.sendAndThrowMessage(TSaslTransport.java:221) at org.apache.thrift.transport.TSaslTransport.open(TSaslTransport.java:297) at org.apache.thrift.transport.TSaslServerTransport.open(TSaslServerTransport.java:41) at org.apache.thrift.transport.TSaslServerTransport$Factory.getTransport(TSaslServerTransport.java:216) ... 4 more **LDAP doesn't except blank passwords** It is expected that ambari-qa user able to authenticate through LDAP for HiveServer2 ANALYSIS: 1) We found when hive.server2.authentication=LDAP, the HiveServer2 log will show the LDAP error once Alert is turned on. 2) Alert uses check_tcp_wrapper_sasl!10000!LDAP!! 3) When hive.server2.authentication=NONE, we don't get the Alert LDAP error for HiveServer2. or 1) If we run "beeline" and !connect jdbc:hive2://<hiveserver2_server>:10000 -n ambari-qa", we will get the LDAP error too. > Error during Alert: Unable to authenticate through LDAP for Hiveserver2 (also > floods HS2 log with error messages) > ----------------------------------------------------------------------------------------------------------------- > > Key: AMBARI-19642 > URL: https://issues.apache.org/jira/browse/AMBARI-19642 > Project: Ambari > Issue Type: Bug > Components: stacks > Affects Versions: 2.5.0 > Reporter: Sumit Mohanty > Assignee: Sumit Mohanty > Priority: Critical > Fix For: 2.5.0 > > > Ambari Alert can't authenticate through LDAP for HiveServer2 using the > ambari-qa user because there's no where set the ambari-qa password. > {code} > javax.security.sasl.SaslException: Error validating the login [Caused by > javax.security.sasl.AuthenticationException: Error validating LDAP user > [Caused by javax.naming.Authentic > ationException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C0903C8, > comment: AcceptSecurityContext error, data 52e, v2580 > at > org.apache.hive.service.auth.PlainSaslServer.evaluateResponse(PlainSaslServer.java:109) > > at > org.apache.thrift.transport.TSaslTransport$SaslParticipant.evaluateChallengeOrResponse(TSaslTransport.java:509) > > at org.apache.thrift.transport.TSaslTransport.open(TSaslTransport.java:264) > at > org.apache.thrift.transport.TSaslServerTransport.open(TSaslServerTransport.java:41) > > at > org.apache.thrift.transport.TSaslServerTransport$Factory.getTransport(TSaslServerTransport.java:216) > > at > org.apache.thrift.server.TThreadPoolServer$WorkerProcess.run(TThreadPoolServer.java:189) > > at > java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145) > > at > java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615) > > at java.lang.Thread.run(Thread.java:744) > Caused by: javax.security.sasl.AuthenticationException: Error validating LDAP > user [Caused by javax.naming.AuthenticationException: [LDAP: error code 49 - > 80090308: LdapErr: DSID > -0C0903C8, comment: AcceptSecurityContext error, data 52e, v2580 > at > org.apache.hive.service.auth.LdapAuthenticationProviderImpl.Authenticate(LdapAuthenticationProviderImpl.java:70) > > at > org.apache.hive.service.auth.PlainSaslHelper$PlainServerCallbackHandler.handle(PlainSaslHelper.java:106) > > at > org.apache.hive.service.auth.PlainSaslServer.evaluateResponse(PlainSaslServer.java:102) > > ... 8 more > Caused by: javax.naming.AuthenticationException: [LDAP: error code 49 - > 80090308: LdapErr: DSID-0C0903C8, comment: AcceptSecurityContext error, data > 52e, v2580 > at com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:3087) > at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:3033) > at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2835) > at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2749) > at com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:316) > at com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:193) > at com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(LdapCtxFactory.java:211) > at > com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(LdapCtxFactory.java:154) > at com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactory.java:84) > at javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:684) > at javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:307) > at javax.naming.InitialContext.init(InitialContext.java:242) > at javax.naming.InitialContext.<init>(InitialContext.java:216) > at > javax.naming.directory.InitialDirContext.<init>(InitialDirContext.java:101) > at > org.apache.hive.service.auth.LdapAuthenticationProviderImpl.Authenticate(LdapAuthenticationProviderImpl.java:67) > > ... 10 more > 2014-12-29 00:00:12,532 ERROR server.TThreadPoolServer > (TThreadPoolServer.java:run(215)) - Error occurred during processing of > message. > java.lang.RuntimeException: org.apache.thrift.transport.TTransportException: > Error validating the login > at > org.apache.thrift.transport.TSaslServerTransport$Factory.getTransport(TSaslServerTransport.java:219) > > at > org.apache.thrift.server.TThreadPoolServer$WorkerProcess.run(TThreadPoolServer.java:189) > > at > java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145) > > at > java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615) > > at java.lang.Thread.run(Thread.java:744) > Caused by: org.apache.thrift.transport.TTransportException: Error validating > the login > at > org.apache.thrift.transport.TSaslTransport.sendAndThrowMessage(TSaslTransport.java:221) > > at org.apache.thrift.transport.TSaslTransport.open(TSaslTransport.java:297) > at > org.apache.thrift.transport.TSaslServerTransport.open(TSaslServerTransport.java:41) > > at > org.apache.thrift.transport.TSaslServerTransport$Factory.getTransport(TSaslServerTransport.java:216) > > ... 4 more > {code} > **LDAP doesn't except blank passwords** > It is expected that ambari-qa user able to authenticate through LDAP for > HiveServer2 > ANALYSIS: > 1) We found when hive.server2.authentication=LDAP, the HiveServer2 log will > show the LDAP error once Alert is turned on. > 2) Alert uses check_tcp_wrapper_sasl!10000!LDAP!! > 3) When hive.server2.authentication=NONE, we don't get the Alert LDAP error > for HiveServer2. > or > 1) If we run "beeline" and !connect jdbc:hive2://<hiveserver2_server>:10000 > -n ambari-qa", we will get the LDAP error too. -- This message was sent by Atlassian JIRA (v6.3.4#6332)