[jira] [Commented] (HIVE-17218) Canonical-ize hostnames for Hive metastore, and HS2 servers.

Wed, 14 Feb 2018 08:50:46 -0800 

    [ 
https://issues.apache.org/jira/browse/HIVE-17218?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16364398#comment-16364398
 ] 

Naveen Gangam commented on HIVE-17218:
--------------------------------------

[~mithun] [~thejas] It appears there is a rather severe un-intended adverse 
side-effect with this fix. In SSL-enabled environments, the SSL certificate for 
the service contains the hostname or DNS name for Common Name. However, with 
this fix, the HS2 client fails to establish a connection to HS2 because SSL 
handshake fails as it attempts to match the hostname contained in the 
certificate with the canonicalized name (which could also be an IP address).
{code:java}
public class NSLookupFwd
{
   public String canonicalize(String host) {
    String cname=null;
    try {
      cname = InetAddress.getByName(host).getCanonicalHostName();
      System.out.println("Host: " +
          host);
      System.out.println("Canonical HostName: " +
          cname);
    } catch (UnknownHostException ex) {
      Logger.getLogger(NSLookupFwd.class.getName()).log(Level.SEVERE, null, ex);
    }
    return cname;
  }

  public static void main(String[] args)
  {
    new NSLookupFwd().canonicalize(args[0]);
  }
}{code}
 

For example,
{code:java}
java NSLookupFwd google.com
Host: google.com
Canonical HostName: nuq04s29-in-f14.1e100.net

java NSLookupFwd yahoo.com
Host: yahoo.com
Canonical HostName: media-router-fp1.prod.media.vip.ne1.yahoo.com

java NSLookupFwd mail.yahoo.com
Host: mail.yahoo.com
Canonical HostName: e2.ycpi.vip.sja.yahoo.com{code}
the certificates issued by these URLs would contain the public facing names and 
not the internal IPs or names they map to.

The stack for the failure is
{code:java}
java.net.SocketException: Socket is closed 
at sun.security.ssl.SSLSocketImpl.checkEOF(SSLSocketImpl.java:1532) 
at sun.security.ssl.SSLSocketImpl.checkWrite(SSLSocketImpl.java:1553) 
at sun.security.ssl.AppOutputStream.write(AppOutputStream.java:71) 
at java.io.BufferedOutputStream.flushBuffer(BufferedOutputStream.java:82) 
at java.io.BufferedOutputStream.flush(BufferedOutputStream.java:140) 
at java.io.FilterOutputStream.close(FilterOutputStream.java:158) 
at 
org.apache.thrift.transport.TIOStreamTransport.close(TIOStreamTransport.java:110)
 
at org.apache.thrift.transport.TSocket.close(TSocket.java:235) 
at org.apache.thrift.transport.TSaslTransport.open(TSaslTransport.java:318) 
at 
org.apache.thrift.transport.TSaslClientTransport.open(TSaslClientTransport.java:37)
 
at 
org.apache.hadoop.hive.thrift.client.TUGIAssumingTransport$1.run(TUGIAssumingTransport.java:52)
 
at 
org.apache.hadoop.hive.thrift.client.TUGIAssumingTransport$1.run(TUGIAssumingTransport.java:49)
 
at java.security.AccessController.doPrivileged(Native Method) 
at javax.security.auth.Subject.doAs(Subject.java:422) 
at 
org.apache.hadoop.security.UserGroupInformation.doAs(UserGroupInformation.java:1917)
 
at 
org.apache.hadoop.hive.thrift.client.TUGIAssumingTransport.open(TUGIAssumingTransport.java:49)
 
at org.apache.hive.jdbc.HiveConnection.openTransport(HiveConnection.java:204) 
at org.apache.hive.jdbc.HiveConnection.<init>(HiveConnection.java:169) 
at org.apache.hive.jdbc.HiveDriver.connect(HiveDriver.java:105) 
at java.sql.DriverManager.getConnection(DriverManager.java:664) 
at java.sql.DriverManager.getConnection(DriverManager.java:208) 
at 
org.apache.hive.beeline.DatabaseConnection.connect(DatabaseConnection.java:146) 
at 
org.apache.hive.beeline.DatabaseConnection.getConnection(DatabaseConnection.java:211)
 
at org.apache.hive.beeline.Commands.connect(Commands.java:1496) 
at org.apache.hive.beeline.Commands.connect(Commands.java:1391) 
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) 
at 
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) 
at 
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
 
at java.lang.reflect.Method.invoke(Method.java:498) 
at 
org.apache.hive.beeline.ReflectiveCommandHandler.execute(ReflectiveCommandHandler.java:52)
 
at org.apache.hive.beeline.BeeLine.execCommandWithPrefix(BeeLine.java:1135) 
at org.apache.hive.beeline.BeeLine.dispatch(BeeLine.java:1174) 
at org.apache.hive.beeline.BeeLine.execute(BeeLine.java:1010) 
at org.apache.hive.beeline.BeeLine.begin(BeeLine.java:922) 
at org.apache.hive.beeline.BeeLine.mainWithInputRedirection(BeeLine.java:518) 
at org.apache.hive.beeline.BeeLine.main(BeeLine.java:501) 
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) 
at 
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) 
at 
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
 
at java.lang.reflect.Method.invoke(Method.java:498) 
at org.apache.hadoop.util.RunJar.run(RunJar.java:221) 
at org.apache.hadoop.util.RunJar.main(RunJar.java:136) 
Unknown HS2 problem when communicating with Thrift server. 
Error: Could not open client transport with JDBC Uri: jdbc:hive2://<SNIPPED For 
privacy> GSS initiate failed 
Also, could not send response: org.apache.thrift.transport.TTransportException: 
javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: 
No subject alternative names matching IP address 52 {code}
 

This breaks SSL support in hive. Should we revert this fix and find a different 
fix for this solution for the problem in this jira? Thanks

> Canonical-ize hostnames for Hive metastore, and HS2 servers.
> ------------------------------------------------------------
>
>                 Key: HIVE-17218
>                 URL: https://issues.apache.org/jira/browse/HIVE-17218
>             Project: Hive
>          Issue Type: Bug
>          Components: HiveServer2, Metastore, Security
>    Affects Versions: 1.2.2, 2.2.0, 3.0.0
>            Reporter: Mithun Radhakrishnan
>            Assignee: Mithun Radhakrishnan
>            Priority: Major
>             Fix For: 3.0.0, 2.4.0
>
>         Attachments: HIVE-17218.1.patch
>
>
> Currently, the {{HiveMetastoreClient}} and {{HiveConnection}} do not 
> canonical-ize the hostnames of the metastore/HS2 servers. In deployments 
> where there are multiple such servers behind a VIP, this causes a number of 
> inconveniences:
> # The client-side configuration (e.g. {{hive.metastore.uris}} in 
> {{hive-site.xml}}) needs to specify the VIP's hostname, and cannot use a 
> simplified CNAME, in the thrift URL. If the 
> {{hive.metastore.kerberos.principal}} is specified using {{_HOST}}, one sees 
> GSS failures as follows:
> {noformat}
> hive --hiveconf hive.metastore.kerberos.principal=hive/_h...@grid.myth.net 
> --hiveconf 
> hive.metastore.uris="thrift://simplified-hcat-cname.grid.myth.net:56789"
> ...
> Exception in thread "main" java.lang.RuntimeException: 
> java.lang.RuntimeException: Unable to instantiate 
> org.apache.hadoop.hive.ql.metadata.SessionHiveMetaStoreClient
>         at 
> org.apache.hadoop.hive.ql.session.SessionState.start(SessionState.java:542)
>         at org.apache.hadoop.hive.cli.CliDriver.run(CliDriver.java:677)
>         at org.apache.hadoop.hive.cli.CliDriver.main(CliDriver.java:621)
> ...
> {noformat}
> This is because {{_HOST}} is filled in with the CNAME, and not the 
> canonicalized name.
> # Oozie workflows that use HCat {{<credential>}} have to always use the VIP 
> hostname, and can't use {{_HOST}}-based service principals, if the CNAME 
> differs from the VIP name.
> If the client-code simply canonical-ized the hostnames, it would enable the 
> use of both simplified CNAMEs, and _HOST in service principals.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

Reply via email to