[ https://issues.apache.org/jira/browse/HIVE-17218?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16364398#comment-16364398 ]
Naveen Gangam commented on HIVE-17218: -------------------------------------- [~mithun] [~thejas] It appears there is a rather severe un-intended adverse side-effect with this fix. In SSL-enabled environments, the SSL certificate for the service contains the hostname or DNS name for Common Name. However, with this fix, the HS2 client fails to establish a connection to HS2 because SSL handshake fails as it attempts to match the hostname contained in the certificate with the canonicalized name (which could also be an IP address). {code:java} public class NSLookupFwd { public String canonicalize(String host) { String cname=null; try { cname = InetAddress.getByName(host).getCanonicalHostName(); System.out.println("Host: " + host); System.out.println("Canonical HostName: " + cname); } catch (UnknownHostException ex) { Logger.getLogger(NSLookupFwd.class.getName()).log(Level.SEVERE, null, ex); } return cname; } public static void main(String[] args) { new NSLookupFwd().canonicalize(args[0]); } }{code} For example, {code:java} java NSLookupFwd google.com Host: google.com Canonical HostName: nuq04s29-in-f14.1e100.net java NSLookupFwd yahoo.com Host: yahoo.com Canonical HostName: media-router-fp1.prod.media.vip.ne1.yahoo.com java NSLookupFwd mail.yahoo.com Host: mail.yahoo.com Canonical HostName: e2.ycpi.vip.sja.yahoo.com{code} the certificates issued by these URLs would contain the public facing names and not the internal IPs or names they map to. The stack for the failure is {code:java} java.net.SocketException: Socket is closed at sun.security.ssl.SSLSocketImpl.checkEOF(SSLSocketImpl.java:1532) at sun.security.ssl.SSLSocketImpl.checkWrite(SSLSocketImpl.java:1553) at sun.security.ssl.AppOutputStream.write(AppOutputStream.java:71) at java.io.BufferedOutputStream.flushBuffer(BufferedOutputStream.java:82) at java.io.BufferedOutputStream.flush(BufferedOutputStream.java:140) at java.io.FilterOutputStream.close(FilterOutputStream.java:158) at org.apache.thrift.transport.TIOStreamTransport.close(TIOStreamTransport.java:110) at org.apache.thrift.transport.TSocket.close(TSocket.java:235) at org.apache.thrift.transport.TSaslTransport.open(TSaslTransport.java:318) at org.apache.thrift.transport.TSaslClientTransport.open(TSaslClientTransport.java:37) at org.apache.hadoop.hive.thrift.client.TUGIAssumingTransport$1.run(TUGIAssumingTransport.java:52) at org.apache.hadoop.hive.thrift.client.TUGIAssumingTransport$1.run(TUGIAssumingTransport.java:49) at java.security.AccessController.doPrivileged(Native Method) at javax.security.auth.Subject.doAs(Subject.java:422) at org.apache.hadoop.security.UserGroupInformation.doAs(UserGroupInformation.java:1917) at org.apache.hadoop.hive.thrift.client.TUGIAssumingTransport.open(TUGIAssumingTransport.java:49) at org.apache.hive.jdbc.HiveConnection.openTransport(HiveConnection.java:204) at org.apache.hive.jdbc.HiveConnection.<init>(HiveConnection.java:169) at org.apache.hive.jdbc.HiveDriver.connect(HiveDriver.java:105) at java.sql.DriverManager.getConnection(DriverManager.java:664) at java.sql.DriverManager.getConnection(DriverManager.java:208) at org.apache.hive.beeline.DatabaseConnection.connect(DatabaseConnection.java:146) at org.apache.hive.beeline.DatabaseConnection.getConnection(DatabaseConnection.java:211) at org.apache.hive.beeline.Commands.connect(Commands.java:1496) at org.apache.hive.beeline.Commands.connect(Commands.java:1391) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:498) at org.apache.hive.beeline.ReflectiveCommandHandler.execute(ReflectiveCommandHandler.java:52) at org.apache.hive.beeline.BeeLine.execCommandWithPrefix(BeeLine.java:1135) at org.apache.hive.beeline.BeeLine.dispatch(BeeLine.java:1174) at org.apache.hive.beeline.BeeLine.execute(BeeLine.java:1010) at org.apache.hive.beeline.BeeLine.begin(BeeLine.java:922) at org.apache.hive.beeline.BeeLine.mainWithInputRedirection(BeeLine.java:518) at org.apache.hive.beeline.BeeLine.main(BeeLine.java:501) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:498) at org.apache.hadoop.util.RunJar.run(RunJar.java:221) at org.apache.hadoop.util.RunJar.main(RunJar.java:136) Unknown HS2 problem when communicating with Thrift server. Error: Could not open client transport with JDBC Uri: jdbc:hive2://<SNIPPED For privacy> GSS initiate failed Also, could not send response: org.apache.thrift.transport.TTransportException: javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: No subject alternative names matching IP address 52 {code} This breaks SSL support in hive. Should we revert this fix and find a different fix for this solution for the problem in this jira? Thanks > Canonical-ize hostnames for Hive metastore, and HS2 servers. > ------------------------------------------------------------ > > Key: HIVE-17218 > URL: https://issues.apache.org/jira/browse/HIVE-17218 > Project: Hive > Issue Type: Bug > Components: HiveServer2, Metastore, Security > Affects Versions: 1.2.2, 2.2.0, 3.0.0 > Reporter: Mithun Radhakrishnan > Assignee: Mithun Radhakrishnan > Priority: Major > Fix For: 3.0.0, 2.4.0 > > Attachments: HIVE-17218.1.patch > > > Currently, the {{HiveMetastoreClient}} and {{HiveConnection}} do not > canonical-ize the hostnames of the metastore/HS2 servers. In deployments > where there are multiple such servers behind a VIP, this causes a number of > inconveniences: > # The client-side configuration (e.g. {{hive.metastore.uris}} in > {{hive-site.xml}}) needs to specify the VIP's hostname, and cannot use a > simplified CNAME, in the thrift URL. If the > {{hive.metastore.kerberos.principal}} is specified using {{_HOST}}, one sees > GSS failures as follows: > {noformat} > hive --hiveconf hive.metastore.kerberos.principal=hive/_h...@grid.myth.net > --hiveconf > hive.metastore.uris="thrift://simplified-hcat-cname.grid.myth.net:56789" > ... > Exception in thread "main" java.lang.RuntimeException: > java.lang.RuntimeException: Unable to instantiate > org.apache.hadoop.hive.ql.metadata.SessionHiveMetaStoreClient > at > org.apache.hadoop.hive.ql.session.SessionState.start(SessionState.java:542) > at org.apache.hadoop.hive.cli.CliDriver.run(CliDriver.java:677) > at org.apache.hadoop.hive.cli.CliDriver.main(CliDriver.java:621) > ... > {noformat} > This is because {{_HOST}} is filled in with the CNAME, and not the > canonicalized name. > # Oozie workflows that use HCat {{<credential>}} have to always use the VIP > hostname, and can't use {{_HOST}}-based service principals, if the CNAME > differs from the VIP name. > If the client-code simply canonical-ized the hostnames, it would enable the > use of both simplified CNAMEs, and _HOST in service principals. -- This message was sent by Atlassian JIRA (v7.6.3#76005)