[
https://issues.apache.org/jira/browse/HIVE-21899?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
KWON BYUNGCHANG updated HIVE-21899:
-----------------------------------
Attachment: HIVE-21899.001.patch
Status: Patch Available (was: Open)
I have attached patch. please review it.
> Utils.getCanonicalHostName() may return IP address depending on DNS infra
> -------------------------------------------------------------------------
>
> Key: HIVE-21899
> URL: https://issues.apache.org/jira/browse/HIVE-21899
> Project: Hive
> Issue Type: Bug
> Components: HiveServer2, Metastore, Security
> Reporter: KWON BYUNGCHANG
> Priority: Major
> Attachments: HIVE-21899.001.patch
>
>
> if there is not PTR record of hostname A in DNS,
> org.apache.hive.jdbc.Utils.getCanonicalHostName(“A”) return IP Address.
> And failed connecting secured HS2 or HMS because cannot getting kerberos
> service ticket of HS2 or HMS using ip address.
> workaround is adding hostname A and IP to /etc/hosts, it is uncomfortable.
> below is krb5 debug log.
> note that {{Server not found in Kerberos database}} and
> {{hive/10.1....@example.com}}
> {code}
> Picked up JAVA_TOOL_OPTIONS: -Dsun.security.krb5.debug=true
> Connecting to
> jdbc:hive2://zk1.example.com:2181,zk2.example.com:2181,zk.example.com:2181/default;principal=hive/_h...@example.com;serviceDiscoveryMode=zooKeeper;zooKeeperNamespace=hiveserver2
> Java config name: /etc/krb5.conf
> Loaded from Java config
> Java config name: /etc/krb5.conf
> Loaded from Java config
> >>> KdcAccessibility: reset
> >>> KdcAccessibility: reset
> >>>DEBUG <CCacheInputStream> client principal is mag...@example.com
> >>>DEBUG <CCacheInputStream> server principal is
> >>>krbtgt/example....@example.com
> >>>DEBUG <CCacheInputStream> key type: 18
> >>>DEBUG <CCacheInputStream> auth time: Thu Jun 20 12:46:45 JST 2019
> >>>DEBUG <CCacheInputStream> start time: Thu Jun 20 12:46:45 JST 2019
> >>>DEBUG <CCacheInputStream> end time: Fri Jun 21 12:46:43 JST 2019
> >>>DEBUG <CCacheInputStream> renew_till time: Thu Jun 27 12:46:43 JST 2019
> >>> CCacheInputStream: readFlags() FORWARDABLE; RENEWABLE; INITIAL; PRE_AUTH;
> Found ticket for mag...@example.com to go to krbtgt/example....@example.com
> expiring on Fri Jun 21 12:46:43 JST 2019
> Entered Krb5Context.initSecContext with state=STATE_NEW
> Found ticket for mag...@example.com to go to krbtgt/example....@example.com
> expiring on Fri Jun 21 12:46:43 JST 2019
> Service ticket not found in the subject
> >>> Credentials acquireServiceCreds: same realm
> Using builtin default etypes for default_tgs_enctypes
> default etypes for default_tgs_enctypes: ........
> >>> CksumType: sun.security.krb5.internal.crypto.RsaMd5CksumType
> >>> EType: sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType
> >>> KrbKdcReq send: kdc=kerberos.example.com UDP:88, timeout=30000, number of
> >>> retries =3, #bytes=661
> >>> KDCCommunication: kdc=kerberos.example.com UDP:88, timeout=30000,Attempt
> >>> =1, #bytes=661
> >>> KrbKdcReq send: #bytes read=171
> >>> KdcAccessibility: remove kerberos.example.com
> >>> KDCRep: init() encoding tag is 126 req type is 13
> >>>KRBError:
> cTime is Wed Dec 16 00:15:05 JST 1998 913734905000
> sTime is Thu Jun 20 12:50:30 JST 2019 1561002630000
> suSec is 659395
> error code is 7
> error Message is Server not found in Kerberos database
> cname is mag...@example.com
> sname is hive/10.1....@example.com
> msgType is 30
> KrbException: Server not found in Kerberos database (7) - LOOKING_UP_SERVER
> at sun.security.krb5.KrbTgsRep.<init>(KrbTgsRep.java:73)
> at sun.security.krb5.KrbTgsReq.getReply(KrbTgsReq.java:251)
> at sun.security.krb5.KrbTgsReq.sendAndGetCreds(KrbTgsReq.java:262)
> at
> sun.security.krb5.internal.CredentialsUtil.serviceCreds(CredentialsUtil.java:308)
> at
> sun.security.krb5.internal.CredentialsUtil.acquireServiceCreds(CredentialsUtil.java:126)
> at
> sun.security.krb5.Credentials.acquireServiceCreds(Credentials.java:458)
> {code}
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
