[
https://issues.apache.org/jira/browse/AMBARI-19642?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Sumit Mohanty updated AMBARI-19642:
-----------------------------------
Attachment: (was: AMBARI-19642.patch)
> Error during Alert: Unable to authenticate through LDAP for Hiveserver2 (also
> floods HS2 log with error messages)
> -----------------------------------------------------------------------------------------------------------------
>
> Key: AMBARI-19642
> URL: https://issues.apache.org/jira/browse/AMBARI-19642
> Project: Ambari
> Issue Type: Bug
> Components: stacks
> Affects Versions: 2.5.0
> Reporter: Sumit Mohanty
> Assignee: Sumit Mohanty
> Priority: Critical
> Fix For: 2.5.0
>
> Attachments: AMBARI-19642.patch
>
>
> Ambari Alert can't authenticate through LDAP for HiveServer2 using the
> ambari-qa user because there's no where set the ambari-qa password.
> {code}
> javax.security.sasl.SaslException: Error validating the login [Caused by
> javax.security.sasl.AuthenticationException: Error validating LDAP user
> [Caused by javax.naming.Authentic
> ationException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C0903C8,
> comment: AcceptSecurityContext error, data 52e, v2580
> at
> org.apache.hive.service.auth.PlainSaslServer.evaluateResponse(PlainSaslServer.java:109)
>
> at
> org.apache.thrift.transport.TSaslTransport$SaslParticipant.evaluateChallengeOrResponse(TSaslTransport.java:509)
>
> at org.apache.thrift.transport.TSaslTransport.open(TSaslTransport.java:264)
> at
> org.apache.thrift.transport.TSaslServerTransport.open(TSaslServerTransport.java:41)
>
> at
> org.apache.thrift.transport.TSaslServerTransport$Factory.getTransport(TSaslServerTransport.java:216)
>
> at
> org.apache.thrift.server.TThreadPoolServer$WorkerProcess.run(TThreadPoolServer.java:189)
>
> at
> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
>
> at
> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
>
> at java.lang.Thread.run(Thread.java:744)
> Caused by: javax.security.sasl.AuthenticationException: Error validating LDAP
> user [Caused by javax.naming.AuthenticationException: [LDAP: error code 49 -
> 80090308: LdapErr: DSID
> -0C0903C8, comment: AcceptSecurityContext error, data 52e, v2580
> at
> org.apache.hive.service.auth.LdapAuthenticationProviderImpl.Authenticate(LdapAuthenticationProviderImpl.java:70)
>
> at
> org.apache.hive.service.auth.PlainSaslHelper$PlainServerCallbackHandler.handle(PlainSaslHelper.java:106)
>
> at
> org.apache.hive.service.auth.PlainSaslServer.evaluateResponse(PlainSaslServer.java:102)
>
> ... 8 more
> Caused by: javax.naming.AuthenticationException: [LDAP: error code 49 -
> 80090308: LdapErr: DSID-0C0903C8, comment: AcceptSecurityContext error, data
> 52e, v2580
> at com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:3087)
> at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:3033)
> at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2835)
> at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2749)
> at com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:316)
> at com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:193)
> at com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(LdapCtxFactory.java:211)
> at
> com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(LdapCtxFactory.java:154)
> at com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactory.java:84)
> at javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:684)
> at javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:307)
> at javax.naming.InitialContext.init(InitialContext.java:242)
> at javax.naming.InitialContext.<init>(InitialContext.java:216)
> at
> javax.naming.directory.InitialDirContext.<init>(InitialDirContext.java:101)
> at
> org.apache.hive.service.auth.LdapAuthenticationProviderImpl.Authenticate(LdapAuthenticationProviderImpl.java:67)
>
> ... 10 more
> 2014-12-29 00:00:12,532 ERROR server.TThreadPoolServer
> (TThreadPoolServer.java:run(215)) - Error occurred during processing of
> message.
> java.lang.RuntimeException: org.apache.thrift.transport.TTransportException:
> Error validating the login
> at
> org.apache.thrift.transport.TSaslServerTransport$Factory.getTransport(TSaslServerTransport.java:219)
>
> at
> org.apache.thrift.server.TThreadPoolServer$WorkerProcess.run(TThreadPoolServer.java:189)
>
> at
> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
>
> at
> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
>
> at java.lang.Thread.run(Thread.java:744)
> Caused by: org.apache.thrift.transport.TTransportException: Error validating
> the login
> at
> org.apache.thrift.transport.TSaslTransport.sendAndThrowMessage(TSaslTransport.java:221)
>
> at org.apache.thrift.transport.TSaslTransport.open(TSaslTransport.java:297)
> at
> org.apache.thrift.transport.TSaslServerTransport.open(TSaslServerTransport.java:41)
>
> at
> org.apache.thrift.transport.TSaslServerTransport$Factory.getTransport(TSaslServerTransport.java:216)
>
> ... 4 more
> {code}
> **LDAP doesn't except blank passwords**
> It is expected that ambari-qa user able to authenticate through LDAP for
> HiveServer2
> ANALYSIS:
> 1) We found when hive.server2.authentication=LDAP, the HiveServer2 log will
> show the LDAP error once Alert is turned on.
> 2) Alert uses check_tcp_wrapper_sasl!10000!LDAP!!
> 3) When hive.server2.authentication=NONE, we don't get the Alert LDAP error
> for HiveServer2.
> or
> 1) If we run "beeline" and !connect jdbc:hive2://<hiveserver2_server>:10000
> -n ambari-qa", we will get the LDAP error too.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
