[
https://issues.apache.org/jira/browse/HIVE-29306?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Kiran Velumuri updated HIVE-29306:
----------------------------------
Description:
I was testing out Ranger authorization from HMS side by adding the below
configs to my Kerberised Ambari managed cluster:
{noformat}
General
hive.security.metastore.authorization.manager=org.apache.ranger.authorization.hive.authorizer.RangerHiveAuthorizerFactory
Advanced hive-site
hive.metastore.pre.event.listeners=org.apache.hadoop.hive.ql.security.authorization.plugin.metastore.HiveMetaStoreAuthorizer
Custom hivemetastore-site
hive.security.authorization.enabled=true
hive.security.authorization.manager=org.apache.ranger.authorization.hive.authorizer.RangerHiveAuthorizerFactory
{noformat}
I invoked the spark-sql shell to verify if this is working, but was faced with
below Kerberos related error when ranger/RangerHiveAuthorizer tries to make a
HMS client connection:
{code:java}
// code placeholder
2025-11-06T10:09:01,232 ERROR [Metastore-Handler-Pool: Thread-8483]:
transport.TSaslTransport (TSaslTransport.java:open(280)) - SASL negotiation
failurejavax.security.sasl.SaslException: GSS initiate failed at
com.sun.security.sasl.gsskerb.GssKrb5Client.evaluateChallenge(GssKrb5Client.java:228)
~[jdk.security.jgss:?] at
org.apache.thrift.transport.TSaslClientTransport.handleSaslStartMessage(TSaslClientTransport.java:96)
~[hive-exec-4.0.1.3.4.1.0-4.jar:4.0.1.3.4.1.0-4] at
org.apache.thrift.transport.TSaslTransport.open(TSaslTransport.java:238)
~[hive-exec-4.0.1.3.4.1.0-4.jar:4.0.1.3.4.1.0-4] at
org.apache.thrift.transport.TSaslClientTransport.open(TSaslClientTransport.java:39)
~[hive-exec-4.0.1.3.4.1.0-4.jar:4.0.1.3.4.1.0-4] at
org.apache.hadoop.hive.metastore.security.TUGIAssumingTransport$1.run(TUGIAssumingTransport.java:51)
~[hive-exec-4.0.1.3.4.1.0-4.jar:4.0.1.3.4.1.0-4] at
org.apache.hadoop.hive.metastore.security.TUGIAssumingTransport$1.run(TUGIAssumingTransport.java:48)
~[hive-exec-4.0.1.3.4.1.0-4.jar:4.0.1.3.4.1.0-4] at
java.security.AccessController.doPrivileged(AccessController.java:712) ~[?:?]
at javax.security.auth.Subject.doAs(Subject.java:439) ~[?:?] at
org.apache.hadoop.security.UserGroupInformation.doAs(UserGroupInformation.java:1953)
~[hadoop-common-3.4.1.3.4.1.0-4.jar:?] at
org.apache.hadoop.hive.metastore.security.TUGIAssumingTransport.open(TUGIAssumingTransport.java:48)
~[hive-exec-4.0.1.3.4.1.0-4.jar:4.0.1.3.4.1.0-4] at
org.apache.hadoop.hive.metastore.HiveMetaStoreClient.open(HiveMetaStoreClient.java:823)
~[hive-exec-4.0.1.3.4.1.0-4.jar:4.0.1.3.4.1.0-4] at
org.apache.hadoop.hive.metastore.HiveMetaStoreClient.<init>(HiveMetaStoreClient.java:282)
~[hive-exec-4.0.1.3.4.1.0-4.jar:4.0.1.3.4.1.0-4] at
org.apache.hadoop.hive.ql.metadata.HiveMetaStoreClientWithLocalCache.<init>(HiveMetaStoreClientWithLocalCache.java:118)
~[hive-exec-4.0.1.3.4.1.0-4.jar:4.0.1.3.4.1.0-4] at
org.apache.hadoop.hive.ql.metadata.SessionHiveMetaStoreClient.<init>(SessionHiveMetaStoreClient.java:156)
~[hive-exec-4.0.1.3.4.1.0-4.jar:4.0.1.3.4.1.0-4] at
jdk.internal.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
~[?:?] at
jdk.internal.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:77)
~[?:?] at
jdk.internal.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
~[?:?] at
java.lang.reflect.Constructor.newInstanceWithCaller(Constructor.java:500)
~[?:?] at java.lang.reflect.Constructor.newInstance(Constructor.java:481)
~[?:?] at
org.apache.hadoop.hive.metastore.utils.JavaUtils.newInstance(JavaUtils.java:87)
~[hive-exec-4.0.1.3.4.1.0-4.jar:4.0.1.3.4.1.0-4] at
org.apache.hadoop.hive.metastore.RetryingMetaStoreClient.<init>(RetryingMetaStoreClient.java:96)
~[hive-exec-4.0.1.3.4.1.0-4.jar:4.0.1.3.4.1.0-4] at
org.apache.hadoop.hive.metastore.RetryingMetaStoreClient.getProxy(RetryingMetaStoreClient.java:149)
~[hive-exec-4.0.1.3.4.1.0-4.jar:4.0.1.3.4.1.0-4] at
org.apache.hadoop.hive.metastore.RetryingMetaStoreClient.getProxy(RetryingMetaStoreClient.java:120)
~[hive-exec-4.0.1.3.4.1.0-4.jar:4.0.1.3.4.1.0-4] at
org.apache.hadoop.hive.ql.metadata.Hive.createMetaStoreClient(Hive.java:5948)
~[hive-exec-4.0.1.3.4.1.0-4.jar:4.0.1.3.4.1.0-4] at
org.apache.hadoop.hive.ql.metadata.Hive.getMSC(Hive.java:6036)
~[hive-exec-4.0.1.3.4.1.0-4.jar:4.0.1.3.4.1.0-4] at
org.apache.hadoop.hive.ql.metadata.Hive.getMSC(Hive.java:6016)
~[hive-exec-4.0.1.3.4.1.0-4.jar:4.0.1.3.4.1.0-4] at
org.apache.hadoop.hive.ql.metadata.Hive.getAllFunctions(Hive.java:6361)
~[hive-exec-4.0.1.3.4.1.0-4.jar:4.0.1.3.4.1.0-4] at
org.apache.hadoop.hive.ql.metadata.Hive.reloadFunctions(Hive.java:370)
~[hive-exec-4.0.1.3.4.1.0-4.jar:4.0.1.3.4.1.0-4] at
org.apache.hadoop.hive.ql.metadata.Hive.registerAllFunctionsOnce(Hive.java:349)
~[hive-exec-4.0.1.3.4.1.0-4.jar:4.0.1.3.4.1.0-4] at
org.apache.hadoop.hive.ql.metadata.Hive.<init>(Hive.java:575)
~[hive-exec-4.0.1.3.4.1.0-4.jar:4.0.1.3.4.1.0-4] at
org.apache.hadoop.hive.ql.metadata.Hive.create(Hive.java:467)
~[hive-exec-4.0.1.3.4.1.0-4.jar:4.0.1.3.4.1.0-4] at
org.apache.hadoop.hive.ql.metadata.Hive.getInternal(Hive.java:454)
~[hive-exec-4.0.1.3.4.1.0-4.jar:4.0.1.3.4.1.0-4] at
org.apache.hadoop.hive.ql.metadata.Hive.get(Hive.java:539)
~[hive-exec-4.0.1.3.4.1.0-4.jar:4.0.1.3.4.1.0-4] at
org.apache.hadoop.hive.ql.metadata.Hive.get(Hive.java:528)
~[hive-exec-4.0.1.3.4.1.0-4.jar:4.0.1.3.4.1.0-4] at
org.apache.hadoop.hive.ql.security.authorization.plugin.HiveMetastoreClientFactoryImpl.getHiveMetastoreClient(HiveMetastoreClientFactoryImpl.java:36)
~[hive-exec-4.0.1.3.4.1.0-4.jar:4.0.1.3.4.1.0-4] at
org.apache.ranger.authorization.hive.authorizer.RangerHiveAuthorizer.getMetaStoreClient(RangerHiveAuthorizer.java:3313)
~[?:?] at
org.apache.ranger.authorization.hive.authorizer.RangerHiveAuthorizer.getHiveResource(RangerHiveAuthorizer.java:1598)
~[?:?] at
org.apache.ranger.authorization.hive.authorizer.RangerHiveAuthorizer.checkPrivileges(RangerHiveAuthorizer.java:853)
~[?:?] at
org.apache.hadoop.hive.ql.security.authorization.plugin.metastore.HiveMetaStoreAuthorizer.checkPrivileges(HiveMetaStoreAuthorizer.java:578)
~[hive-exec-4.0.1.3.4.1.0-4.jar:4.0.1.3.4.1.0-4] at
org.apache.hadoop.hive.ql.security.authorization.plugin.metastore.HiveMetaStoreAuthorizer.onEvent(HiveMetaStoreAuthorizer.java:111)
~[hive-exec-4.0.1.3.4.1.0-4.jar:4.0.1.3.4.1.0-4] at
org.apache.hadoop.hive.metastore.HMSHandler.firePreEvent(HMSHandler.java:3984)
~[hive-exec-4.0.1.3.4.1.0-4.jar:4.0.1.3.4.1.0-4] at
org.apache.hadoop.hive.metastore.HMSHandler.get_database_req(HMSHandler.java:1410)
~[hive-exec-4.0.1.3.4.1.0-4.jar:4.0.1.3.4.1.0-4] at
org.apache.hadoop.hive.metastore.HMSHandler.get_database(HMSHandler.java:1380)
~[hive-exec-4.0.1.3.4.1.0-4.jar:4.0.1.3.4.1.0-4] at
jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method) ~[?:?] at
jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:77)
~[?:?] at
jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
~[?:?] at java.lang.reflect.Method.invoke(Method.java:569) ~[?:?]
at
org.apache.hadoop.hive.metastore.RetryingHMSHandler.invokeInternal(RetryingHMSHandler.java:91)
~[hive-exec-4.0.1.3.4.1.0-4.jar:4.0.1.3.4.1.0-4] at
org.apache.hadoop.hive.metastore.AbstractHMSHandlerProxy.invoke(AbstractHMSHandlerProxy.java:82)
~[hive-exec-4.0.1.3.4.1.0-4.jar:4.0.1.3.4.1.0-4] at
jdk.proxy2.$Proxy31.get_database(Unknown Source) ~[?:?] at
org.apache.hadoop.hive.metastore.api.ThriftHiveMetastore$Processor$get_database.getResult(ThriftHiveMetastore.java:18900)
~[hive-exec-4.0.1.3.4.1.0-4.jar:4.0.1.3.4.1.0-4] at
org.apache.hadoop.hive.metastore.api.ThriftHiveMetastore$Processor$get_database.getResult(ThriftHiveMetastore.java:18879)
~[hive-exec-4.0.1.3.4.1.0-4.jar:4.0.1.3.4.1.0-4] at
org.apache.thrift.ProcessFunction.process(ProcessFunction.java:38)
~[hive-exec-4.0.1.3.4.1.0-4.jar:4.0.1.3.4.1.0-4] at
org.apache.thrift.TBaseProcessor.process(TBaseProcessor.java:38)
~[hive-exec-4.0.1.3.4.1.0-4.jar:4.0.1.3.4.1.0-4] at
org.apache.hadoop.hive.metastore.security.HadoopThriftAuthBridge$Server$TUGIAssumingProcessor$1.run(HadoopThriftAuthBridge.java:646)
~[hive-exec-4.0.1.3.4.1.0-4.jar:4.0.1.3.4.1.0-4] at
org.apache.hadoop.hive.metastore.security.HadoopThriftAuthBridge$Server$TUGIAssumingProcessor$1.run(HadoopThriftAuthBridge.java:641)
~[hive-exec-4.0.1.3.4.1.0-4.jar:4.0.1.3.4.1.0-4] at
java.security.AccessController.doPrivileged(AccessController.java:712) ~[?:?]
at javax.security.auth.Subject.doAs(Subject.java:439) ~[?:?] at
org.apache.hadoop.security.UserGroupInformation.doAs(UserGroupInformation.java:1953)
~[hadoop-common-3.4.1.3.4.1.0-4.jar:?] at
org.apache.hadoop.hive.metastore.security.HadoopThriftAuthBridge$Server$TUGIAssumingProcessor.process(HadoopThriftAuthBridge.java:641)
~[hive-exec-4.0.1.3.4.1.0-4.jar:4.0.1.3.4.1.0-4] at
org.apache.thrift.server.TThreadPoolServer$WorkerProcess.run(TThreadPoolServer.java:250)
~[hive-exec-4.0.1.3.4.1.0-4.jar:4.0.1.3.4.1.0-4] at
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1136)
~[?:?] at
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:635)
~[?:?] at java.lang.Thread.run(Thread.java:840) ~[?:?]Caused by:
org.ietf.jgss.GSSException: No valid credentials provided (Mechanism level:
Failed to find any Kerberos tgt) at
sun.security.jgss.krb5.Krb5InitCredential.getInstance(Krb5InitCredential.java:166)
~[java.security.jgss:?] at
sun.security.jgss.krb5.Krb5MechFactory.getCredentialElement(Krb5MechFactory.java:126)
~[java.security.jgss:?] at
sun.security.jgss.krb5.Krb5MechFactory.getMechanismContext(Krb5MechFactory.java:195)
~[java.security.jgss:?] at
sun.security.jgss.GSSManagerImpl.getMechanismContext(GSSManagerImpl.java:205)
~[java.security.jgss:?] at
sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:230)
~[java.security.jgss:?] at
sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:196)
~[java.security.jgss:?] at
com.sun.security.sasl.gsskerb.GssKrb5Client.evaluateChallenge(GssKrb5Client.java:209)
~[jdk.security.jgss:?] ... 63 more{code}
Could someone, having worked on this, tell if any other config needs to be
added/updated? The existing Ranger authorization at HS2 level worked fine
earlier, and I wish to verify for HMS side.
was:
I was testing out Ranger authorization from HMS side by adding the below
configs to my Kerberised Ambari managed cluster:
{noformat}
General
hive.security.metastore.authorization.manager=org.apache.ranger.authorization.hive.authorizer.RangerHiveAuthorizerFactory
Advanced hive-site
hive.metastore.pre.event.listeners=org.apache.hadoop.hive.ql.security.authorization.plugin.metastore.HiveMetaStoreAuthorizer
Custom hivemetastore-site
hive.security.authorization.enabled=true
hive.security.authorization.manager=org.apache.ranger.authorization.hive.authorizer.RangerHiveAuthorizerFactory
{noformat}
I invoked the spark-sql shell to verify if this is working, but was faced with
below Kerberos related error when ranger/RangerHiveAuthorizer tries to make a
HMS client connection:
{code:java}
// code placeholder
2025-11-06T10:09:01,232 ERROR [Metastore-Handler-Pool: Thread-8483]:
transport.TSaslTransport (TSaslTransport.java:open(280)) - SASL negotiation
failurejavax.security.sasl.SaslException: GSS initiate failed at
com.sun.security.sasl.gsskerb.GssKrb5Client.evaluateChallenge(GssKrb5Client.java:228)
~[jdk.security.jgss:?] at
org.apache.thrift.transport.TSaslClientTransport.handleSaslStartMessage(TSaslClientTransport.java:96)
~[hive-exec-4.0.1.3.4.1.0-4.jar:4.0.1.3.4.1.0-4] at
org.apache.thrift.transport.TSaslTransport.open(TSaslTransport.java:238)
~[hive-exec-4.0.1.3.4.1.0-4.jar:4.0.1.3.4.1.0-4] at
org.apache.thrift.transport.TSaslClientTransport.open(TSaslClientTransport.java:39)
~[hive-exec-4.0.1.3.4.1.0-4.jar:4.0.1.3.4.1.0-4] at
org.apache.hadoop.hive.metastore.security.TUGIAssumingTransport$1.run(TUGIAssumingTransport.java:51)
~[hive-exec-4.0.1.3.4.1.0-4.jar:4.0.1.3.4.1.0-4] at
org.apache.hadoop.hive.metastore.security.TUGIAssumingTransport$1.run(TUGIAssumingTransport.java:48)
~[hive-exec-4.0.1.3.4.1.0-4.jar:4.0.1.3.4.1.0-4] at
java.security.AccessController.doPrivileged(AccessController.java:712) ~[?:?]
at javax.security.auth.Subject.doAs(Subject.java:439) ~[?:?] at
org.apache.hadoop.security.UserGroupInformation.doAs(UserGroupInformation.java:1953)
~[hadoop-common-3.4.1.3.4.1.0-4.jar:?] at
org.apache.hadoop.hive.metastore.security.TUGIAssumingTransport.open(TUGIAssumingTransport.java:48)
~[hive-exec-4.0.1.3.4.1.0-4.jar:4.0.1.3.4.1.0-4] at
org.apache.hadoop.hive.metastore.HiveMetaStoreClient.open(HiveMetaStoreClient.java:823)
~[hive-exec-4.0.1.3.4.1.0-4.jar:4.0.1.3.4.1.0-4] at
org.apache.hadoop.hive.metastore.HiveMetaStoreClient.<init>(HiveMetaStoreClient.java:282)
~[hive-exec-4.0.1.3.4.1.0-4.jar:4.0.1.3.4.1.0-4] at
org.apache.hadoop.hive.ql.metadata.HiveMetaStoreClientWithLocalCache.<init>(HiveMetaStoreClientWithLocalCache.java:118)
~[hive-exec-4.0.1.3.4.1.0-4.jar:4.0.1.3.4.1.0-4] at
org.apache.hadoop.hive.ql.metadata.SessionHiveMetaStoreClient.<init>(SessionHiveMetaStoreClient.java:156)
~[hive-exec-4.0.1.3.4.1.0-4.jar:4.0.1.3.4.1.0-4] at
jdk.internal.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
~[?:?] at
jdk.internal.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:77)
~[?:?] at
jdk.internal.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
~[?:?] at
java.lang.reflect.Constructor.newInstanceWithCaller(Constructor.java:500)
~[?:?] at java.lang.reflect.Constructor.newInstance(Constructor.java:481)
~[?:?] at
org.apache.hadoop.hive.metastore.utils.JavaUtils.newInstance(JavaUtils.java:87)
~[hive-exec-4.0.1.3.4.1.0-4.jar:4.0.1.3.4.1.0-4] at
org.apache.hadoop.hive.metastore.RetryingMetaStoreClient.<init>(RetryingMetaStoreClient.java:96)
~[hive-exec-4.0.1.3.4.1.0-4.jar:4.0.1.3.4.1.0-4] at
org.apache.hadoop.hive.metastore.RetryingMetaStoreClient.getProxy(RetryingMetaStoreClient.java:149)
~[hive-exec-4.0.1.3.4.1.0-4.jar:4.0.1.3.4.1.0-4] at
org.apache.hadoop.hive.metastore.RetryingMetaStoreClient.getProxy(RetryingMetaStoreClient.java:120)
~[hive-exec-4.0.1.3.4.1.0-4.jar:4.0.1.3.4.1.0-4] at
org.apache.hadoop.hive.ql.metadata.Hive.createMetaStoreClient(Hive.java:5948)
~[hive-exec-4.0.1.3.4.1.0-4.jar:4.0.1.3.4.1.0-4] at
org.apache.hadoop.hive.ql.metadata.Hive.getMSC(Hive.java:6036)
~[hive-exec-4.0.1.3.4.1.0-4.jar:4.0.1.3.4.1.0-4] at
org.apache.hadoop.hive.ql.metadata.Hive.getMSC(Hive.java:6016)
~[hive-exec-4.0.1.3.4.1.0-4.jar:4.0.1.3.4.1.0-4] at
org.apache.hadoop.hive.ql.metadata.Hive.getAllFunctions(Hive.java:6361)
~[hive-exec-4.0.1.3.4.1.0-4.jar:4.0.1.3.4.1.0-4] at
org.apache.hadoop.hive.ql.metadata.Hive.reloadFunctions(Hive.java:370)
~[hive-exec-4.0.1.3.4.1.0-4.jar:4.0.1.3.4.1.0-4] at
org.apache.hadoop.hive.ql.metadata.Hive.registerAllFunctionsOnce(Hive.java:349)
~[hive-exec-4.0.1.3.4.1.0-4.jar:4.0.1.3.4.1.0-4] at
org.apache.hadoop.hive.ql.metadata.Hive.<init>(Hive.java:575)
~[hive-exec-4.0.1.3.4.1.0-4.jar:4.0.1.3.4.1.0-4] at
org.apache.hadoop.hive.ql.metadata.Hive.create(Hive.java:467)
~[hive-exec-4.0.1.3.4.1.0-4.jar:4.0.1.3.4.1.0-4] at
org.apache.hadoop.hive.ql.metadata.Hive.getInternal(Hive.java:454)
~[hive-exec-4.0.1.3.4.1.0-4.jar:4.0.1.3.4.1.0-4] at
org.apache.hadoop.hive.ql.metadata.Hive.get(Hive.java:539)
~[hive-exec-4.0.1.3.4.1.0-4.jar:4.0.1.3.4.1.0-4] at
org.apache.hadoop.hive.ql.metadata.Hive.get(Hive.java:528)
~[hive-exec-4.0.1.3.4.1.0-4.jar:4.0.1.3.4.1.0-4] at
org.apache.hadoop.hive.ql.security.authorization.plugin.HiveMetastoreClientFactoryImpl.getHiveMetastoreClient(HiveMetastoreClientFactoryImpl.java:36)
~[hive-exec-4.0.1.3.4.1.0-4.jar:4.0.1.3.4.1.0-4] at
org.apache.ranger.authorization.hive.authorizer.RangerHiveAuthorizer.getMetaStoreClient(RangerHiveAuthorizer.java:3313)
~[?:?] at
org.apache.ranger.authorization.hive.authorizer.RangerHiveAuthorizer.getHiveResource(RangerHiveAuthorizer.java:1598)
~[?:?] at
org.apache.ranger.authorization.hive.authorizer.RangerHiveAuthorizer.checkPrivileges(RangerHiveAuthorizer.java:853)
~[?:?] at
org.apache.hadoop.hive.ql.security.authorization.plugin.metastore.HiveMetaStoreAuthorizer.checkPrivileges(HiveMetaStoreAuthorizer.java:578)
~[hive-exec-4.0.1.3.4.1.0-4.jar:4.0.1.3.4.1.0-4] at
org.apache.hadoop.hive.ql.security.authorization.plugin.metastore.HiveMetaStoreAuthorizer.onEvent(HiveMetaStoreAuthorizer.java:111)
~[hive-exec-4.0.1.3.4.1.0-4.jar:4.0.1.3.4.1.0-4] at
org.apache.hadoop.hive.metastore.HMSHandler.firePreEvent(HMSHandler.java:3984)
~[hive-exec-4.0.1.3.4.1.0-4.jar:4.0.1.3.4.1.0-4] at
org.apache.hadoop.hive.metastore.HMSHandler.get_database_req(HMSHandler.java:1410)
~[hive-exec-4.0.1.3.4.1.0-4.jar:4.0.1.3.4.1.0-4] at
org.apache.hadoop.hive.metastore.HMSHandler.get_database(HMSHandler.java:1380)
~[hive-exec-4.0.1.3.4.1.0-4.jar:4.0.1.3.4.1.0-4] at
jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method) ~[?:?] at
jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:77)
~[?:?] at
jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
~[?:?] at java.lang.reflect.Method.invoke(Method.java:569) ~[?:?]
at
org.apache.hadoop.hive.metastore.RetryingHMSHandler.invokeInternal(RetryingHMSHandler.java:91)
~[hive-exec-4.0.1.3.4.1.0-4.jar:4.0.1.3.4.1.0-4] at
org.apache.hadoop.hive.metastore.AbstractHMSHandlerProxy.invoke(AbstractHMSHandlerProxy.java:82)
~[hive-exec-4.0.1.3.4.1.0-4.jar:4.0.1.3.4.1.0-4] at
jdk.proxy2.$Proxy31.get_database(Unknown Source) ~[?:?] at
org.apache.hadoop.hive.metastore.api.ThriftHiveMetastore$Processor$get_database.getResult(ThriftHiveMetastore.java:18900)
~[hive-exec-4.0.1.3.4.1.0-4.jar:4.0.1.3.4.1.0-4] at
org.apache.hadoop.hive.metastore.api.ThriftHiveMetastore$Processor$get_database.getResult(ThriftHiveMetastore.java:18879)
~[hive-exec-4.0.1.3.4.1.0-4.jar:4.0.1.3.4.1.0-4] at
org.apache.thrift.ProcessFunction.process(ProcessFunction.java:38)
~[hive-exec-4.0.1.3.4.1.0-4.jar:4.0.1.3.4.1.0-4] at
org.apache.thrift.TBaseProcessor.process(TBaseProcessor.java:38)
~[hive-exec-4.0.1.3.4.1.0-4.jar:4.0.1.3.4.1.0-4] at
org.apache.hadoop.hive.metastore.security.HadoopThriftAuthBridge$Server$TUGIAssumingProcessor$1.run(HadoopThriftAuthBridge.java:646)
~[hive-exec-4.0.1.3.4.1.0-4.jar:4.0.1.3.4.1.0-4] at
org.apache.hadoop.hive.metastore.security.HadoopThriftAuthBridge$Server$TUGIAssumingProcessor$1.run(HadoopThriftAuthBridge.java:641)
~[hive-exec-4.0.1.3.4.1.0-4.jar:4.0.1.3.4.1.0-4] at
java.security.AccessController.doPrivileged(AccessController.java:712) ~[?:?]
at javax.security.auth.Subject.doAs(Subject.java:439) ~[?:?] at
org.apache.hadoop.security.UserGroupInformation.doAs(UserGroupInformation.java:1953)
~[hadoop-common-3.4.1.3.4.1.0-4.jar:?] at
org.apache.hadoop.hive.metastore.security.HadoopThriftAuthBridge$Server$TUGIAssumingProcessor.process(HadoopThriftAuthBridge.java:641)
~[hive-exec-4.0.1.3.4.1.0-4.jar:4.0.1.3.4.1.0-4] at
org.apache.thrift.server.TThreadPoolServer$WorkerProcess.run(TThreadPoolServer.java:250)
~[hive-exec-4.0.1.3.4.1.0-4.jar:4.0.1.3.4.1.0-4] at
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1136)
~[?:?] at
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:635)
~[?:?] at java.lang.Thread.run(Thread.java:840) ~[?:?]Caused by:
org.ietf.jgss.GSSException: No valid credentials provided (Mechanism level:
Failed to find any Kerberos tgt) at
sun.security.jgss.krb5.Krb5InitCredential.getInstance(Krb5InitCredential.java:166)
~[java.security.jgss:?] at
sun.security.jgss.krb5.Krb5MechFactory.getCredentialElement(Krb5MechFactory.java:126)
~[java.security.jgss:?] at
sun.security.jgss.krb5.Krb5MechFactory.getMechanismContext(Krb5MechFactory.java:195)
~[java.security.jgss:?] at
sun.security.jgss.GSSManagerImpl.getMechanismContext(GSSManagerImpl.java:205)
~[java.security.jgss:?] at
sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:230)
~[java.security.jgss:?] at
sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:196)
~[java.security.jgss:?] at
com.sun.security.sasl.gsskerb.GssKrb5Client.evaluateChallenge(GssKrb5Client.java:209)
~[jdk.security.jgss:?] ... 63 more{code}
Could someone, having worked on this, tell if any other config needs to be
added/updated? The existing Ranger authorization at HS2 level worked fine
earlier, and I wish to verify for HMS side.
> GSSException encountered during HMS Ranger authorization
> --------------------------------------------------------
>
> Key: HIVE-29306
> URL: https://issues.apache.org/jira/browse/HIVE-29306
> Project: Hive
> Issue Type: Bug
> Reporter: Kiran Velumuri
> Priority: Minor
>
> I was testing out Ranger authorization from HMS side by adding the below
> configs to my Kerberised Ambari managed cluster:
>
> {noformat}
> General
> hive.security.metastore.authorization.manager=org.apache.ranger.authorization.hive.authorizer.RangerHiveAuthorizerFactory
> Advanced hive-site
> hive.metastore.pre.event.listeners=org.apache.hadoop.hive.ql.security.authorization.plugin.metastore.HiveMetaStoreAuthorizer
> Custom hivemetastore-site
> hive.security.authorization.enabled=true
> hive.security.authorization.manager=org.apache.ranger.authorization.hive.authorizer.RangerHiveAuthorizerFactory
> {noformat}
>
> I invoked the spark-sql shell to verify if this is working, but was faced
> with below Kerberos related error when ranger/RangerHiveAuthorizer tries to
> make a HMS client connection:
> {code:java}
> // code placeholder
> 2025-11-06T10:09:01,232 ERROR [Metastore-Handler-Pool: Thread-8483]:
> transport.TSaslTransport (TSaslTransport.java:open(280)) - SASL negotiation
> failurejavax.security.sasl.SaslException: GSS initiate failed at
> com.sun.security.sasl.gsskerb.GssKrb5Client.evaluateChallenge(GssKrb5Client.java:228)
> ~[jdk.security.jgss:?] at
> org.apache.thrift.transport.TSaslClientTransport.handleSaslStartMessage(TSaslClientTransport.java:96)
> ~[hive-exec-4.0.1.3.4.1.0-4.jar:4.0.1.3.4.1.0-4] at
> org.apache.thrift.transport.TSaslTransport.open(TSaslTransport.java:238)
> ~[hive-exec-4.0.1.3.4.1.0-4.jar:4.0.1.3.4.1.0-4] at
> org.apache.thrift.transport.TSaslClientTransport.open(TSaslClientTransport.java:39)
> ~[hive-exec-4.0.1.3.4.1.0-4.jar:4.0.1.3.4.1.0-4] at
> org.apache.hadoop.hive.metastore.security.TUGIAssumingTransport$1.run(TUGIAssumingTransport.java:51)
> ~[hive-exec-4.0.1.3.4.1.0-4.jar:4.0.1.3.4.1.0-4] at
> org.apache.hadoop.hive.metastore.security.TUGIAssumingTransport$1.run(TUGIAssumingTransport.java:48)
> ~[hive-exec-4.0.1.3.4.1.0-4.jar:4.0.1.3.4.1.0-4] at
> java.security.AccessController.doPrivileged(AccessController.java:712) ~[?:?]
> at javax.security.auth.Subject.doAs(Subject.java:439) ~[?:?] at
> org.apache.hadoop.security.UserGroupInformation.doAs(UserGroupInformation.java:1953)
> ~[hadoop-common-3.4.1.3.4.1.0-4.jar:?] at
> org.apache.hadoop.hive.metastore.security.TUGIAssumingTransport.open(TUGIAssumingTransport.java:48)
> ~[hive-exec-4.0.1.3.4.1.0-4.jar:4.0.1.3.4.1.0-4] at
> org.apache.hadoop.hive.metastore.HiveMetaStoreClient.open(HiveMetaStoreClient.java:823)
> ~[hive-exec-4.0.1.3.4.1.0-4.jar:4.0.1.3.4.1.0-4] at
> org.apache.hadoop.hive.metastore.HiveMetaStoreClient.<init>(HiveMetaStoreClient.java:282)
> ~[hive-exec-4.0.1.3.4.1.0-4.jar:4.0.1.3.4.1.0-4] at
> org.apache.hadoop.hive.ql.metadata.HiveMetaStoreClientWithLocalCache.<init>(HiveMetaStoreClientWithLocalCache.java:118)
> ~[hive-exec-4.0.1.3.4.1.0-4.jar:4.0.1.3.4.1.0-4] at
> org.apache.hadoop.hive.ql.metadata.SessionHiveMetaStoreClient.<init>(SessionHiveMetaStoreClient.java:156)
> ~[hive-exec-4.0.1.3.4.1.0-4.jar:4.0.1.3.4.1.0-4] at
> jdk.internal.reflect.NativeConstructorAccessorImpl.newInstance0(Native
> Method) ~[?:?] at
> jdk.internal.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:77)
> ~[?:?] at
> jdk.internal.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
> ~[?:?] at
> java.lang.reflect.Constructor.newInstanceWithCaller(Constructor.java:500)
> ~[?:?] at java.lang.reflect.Constructor.newInstance(Constructor.java:481)
> ~[?:?] at
> org.apache.hadoop.hive.metastore.utils.JavaUtils.newInstance(JavaUtils.java:87)
> ~[hive-exec-4.0.1.3.4.1.0-4.jar:4.0.1.3.4.1.0-4] at
> org.apache.hadoop.hive.metastore.RetryingMetaStoreClient.<init>(RetryingMetaStoreClient.java:96)
> ~[hive-exec-4.0.1.3.4.1.0-4.jar:4.0.1.3.4.1.0-4] at
> org.apache.hadoop.hive.metastore.RetryingMetaStoreClient.getProxy(RetryingMetaStoreClient.java:149)
> ~[hive-exec-4.0.1.3.4.1.0-4.jar:4.0.1.3.4.1.0-4] at
> org.apache.hadoop.hive.metastore.RetryingMetaStoreClient.getProxy(RetryingMetaStoreClient.java:120)
> ~[hive-exec-4.0.1.3.4.1.0-4.jar:4.0.1.3.4.1.0-4] at
> org.apache.hadoop.hive.ql.metadata.Hive.createMetaStoreClient(Hive.java:5948)
> ~[hive-exec-4.0.1.3.4.1.0-4.jar:4.0.1.3.4.1.0-4] at
> org.apache.hadoop.hive.ql.metadata.Hive.getMSC(Hive.java:6036)
> ~[hive-exec-4.0.1.3.4.1.0-4.jar:4.0.1.3.4.1.0-4] at
> org.apache.hadoop.hive.ql.metadata.Hive.getMSC(Hive.java:6016)
> ~[hive-exec-4.0.1.3.4.1.0-4.jar:4.0.1.3.4.1.0-4] at
> org.apache.hadoop.hive.ql.metadata.Hive.getAllFunctions(Hive.java:6361)
> ~[hive-exec-4.0.1.3.4.1.0-4.jar:4.0.1.3.4.1.0-4] at
> org.apache.hadoop.hive.ql.metadata.Hive.reloadFunctions(Hive.java:370)
> ~[hive-exec-4.0.1.3.4.1.0-4.jar:4.0.1.3.4.1.0-4] at
> org.apache.hadoop.hive.ql.metadata.Hive.registerAllFunctionsOnce(Hive.java:349)
> ~[hive-exec-4.0.1.3.4.1.0-4.jar:4.0.1.3.4.1.0-4] at
> org.apache.hadoop.hive.ql.metadata.Hive.<init>(Hive.java:575)
> ~[hive-exec-4.0.1.3.4.1.0-4.jar:4.0.1.3.4.1.0-4] at
> org.apache.hadoop.hive.ql.metadata.Hive.create(Hive.java:467)
> ~[hive-exec-4.0.1.3.4.1.0-4.jar:4.0.1.3.4.1.0-4] at
> org.apache.hadoop.hive.ql.metadata.Hive.getInternal(Hive.java:454)
> ~[hive-exec-4.0.1.3.4.1.0-4.jar:4.0.1.3.4.1.0-4] at
> org.apache.hadoop.hive.ql.metadata.Hive.get(Hive.java:539)
> ~[hive-exec-4.0.1.3.4.1.0-4.jar:4.0.1.3.4.1.0-4] at
> org.apache.hadoop.hive.ql.metadata.Hive.get(Hive.java:528)
> ~[hive-exec-4.0.1.3.4.1.0-4.jar:4.0.1.3.4.1.0-4] at
> org.apache.hadoop.hive.ql.security.authorization.plugin.HiveMetastoreClientFactoryImpl.getHiveMetastoreClient(HiveMetastoreClientFactoryImpl.java:36)
> ~[hive-exec-4.0.1.3.4.1.0-4.jar:4.0.1.3.4.1.0-4] at
> org.apache.ranger.authorization.hive.authorizer.RangerHiveAuthorizer.getMetaStoreClient(RangerHiveAuthorizer.java:3313)
> ~[?:?] at
> org.apache.ranger.authorization.hive.authorizer.RangerHiveAuthorizer.getHiveResource(RangerHiveAuthorizer.java:1598)
> ~[?:?] at
> org.apache.ranger.authorization.hive.authorizer.RangerHiveAuthorizer.checkPrivileges(RangerHiveAuthorizer.java:853)
> ~[?:?] at
> org.apache.hadoop.hive.ql.security.authorization.plugin.metastore.HiveMetaStoreAuthorizer.checkPrivileges(HiveMetaStoreAuthorizer.java:578)
> ~[hive-exec-4.0.1.3.4.1.0-4.jar:4.0.1.3.4.1.0-4] at
> org.apache.hadoop.hive.ql.security.authorization.plugin.metastore.HiveMetaStoreAuthorizer.onEvent(HiveMetaStoreAuthorizer.java:111)
> ~[hive-exec-4.0.1.3.4.1.0-4.jar:4.0.1.3.4.1.0-4] at
> org.apache.hadoop.hive.metastore.HMSHandler.firePreEvent(HMSHandler.java:3984)
> ~[hive-exec-4.0.1.3.4.1.0-4.jar:4.0.1.3.4.1.0-4] at
> org.apache.hadoop.hive.metastore.HMSHandler.get_database_req(HMSHandler.java:1410)
> ~[hive-exec-4.0.1.3.4.1.0-4.jar:4.0.1.3.4.1.0-4] at
> org.apache.hadoop.hive.metastore.HMSHandler.get_database(HMSHandler.java:1380)
> ~[hive-exec-4.0.1.3.4.1.0-4.jar:4.0.1.3.4.1.0-4] at
> jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method) ~[?:?]
> at
> jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:77)
> ~[?:?] at
> jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
> ~[?:?] at java.lang.reflect.Method.invoke(Method.java:569) ~[?:?]
> at
> org.apache.hadoop.hive.metastore.RetryingHMSHandler.invokeInternal(RetryingHMSHandler.java:91)
> ~[hive-exec-4.0.1.3.4.1.0-4.jar:4.0.1.3.4.1.0-4] at
> org.apache.hadoop.hive.metastore.AbstractHMSHandlerProxy.invoke(AbstractHMSHandlerProxy.java:82)
> ~[hive-exec-4.0.1.3.4.1.0-4.jar:4.0.1.3.4.1.0-4] at
> jdk.proxy2.$Proxy31.get_database(Unknown Source) ~[?:?] at
> org.apache.hadoop.hive.metastore.api.ThriftHiveMetastore$Processor$get_database.getResult(ThriftHiveMetastore.java:18900)
> ~[hive-exec-4.0.1.3.4.1.0-4.jar:4.0.1.3.4.1.0-4] at
> org.apache.hadoop.hive.metastore.api.ThriftHiveMetastore$Processor$get_database.getResult(ThriftHiveMetastore.java:18879)
> ~[hive-exec-4.0.1.3.4.1.0-4.jar:4.0.1.3.4.1.0-4] at
> org.apache.thrift.ProcessFunction.process(ProcessFunction.java:38)
> ~[hive-exec-4.0.1.3.4.1.0-4.jar:4.0.1.3.4.1.0-4] at
> org.apache.thrift.TBaseProcessor.process(TBaseProcessor.java:38)
> ~[hive-exec-4.0.1.3.4.1.0-4.jar:4.0.1.3.4.1.0-4] at
> org.apache.hadoop.hive.metastore.security.HadoopThriftAuthBridge$Server$TUGIAssumingProcessor$1.run(HadoopThriftAuthBridge.java:646)
> ~[hive-exec-4.0.1.3.4.1.0-4.jar:4.0.1.3.4.1.0-4] at
> org.apache.hadoop.hive.metastore.security.HadoopThriftAuthBridge$Server$TUGIAssumingProcessor$1.run(HadoopThriftAuthBridge.java:641)
> ~[hive-exec-4.0.1.3.4.1.0-4.jar:4.0.1.3.4.1.0-4] at
> java.security.AccessController.doPrivileged(AccessController.java:712) ~[?:?]
> at javax.security.auth.Subject.doAs(Subject.java:439) ~[?:?] at
> org.apache.hadoop.security.UserGroupInformation.doAs(UserGroupInformation.java:1953)
> ~[hadoop-common-3.4.1.3.4.1.0-4.jar:?] at
> org.apache.hadoop.hive.metastore.security.HadoopThriftAuthBridge$Server$TUGIAssumingProcessor.process(HadoopThriftAuthBridge.java:641)
> ~[hive-exec-4.0.1.3.4.1.0-4.jar:4.0.1.3.4.1.0-4] at
> org.apache.thrift.server.TThreadPoolServer$WorkerProcess.run(TThreadPoolServer.java:250)
> ~[hive-exec-4.0.1.3.4.1.0-4.jar:4.0.1.3.4.1.0-4] at
> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1136)
> ~[?:?] at
> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:635)
> ~[?:?] at java.lang.Thread.run(Thread.java:840) ~[?:?]Caused by:
> org.ietf.jgss.GSSException: No valid credentials provided (Mechanism level:
> Failed to find any Kerberos tgt) at
> sun.security.jgss.krb5.Krb5InitCredential.getInstance(Krb5InitCredential.java:166)
> ~[java.security.jgss:?] at
> sun.security.jgss.krb5.Krb5MechFactory.getCredentialElement(Krb5MechFactory.java:126)
> ~[java.security.jgss:?] at
> sun.security.jgss.krb5.Krb5MechFactory.getMechanismContext(Krb5MechFactory.java:195)
> ~[java.security.jgss:?] at
> sun.security.jgss.GSSManagerImpl.getMechanismContext(GSSManagerImpl.java:205)
> ~[java.security.jgss:?] at
> sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:230)
> ~[java.security.jgss:?] at
> sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:196)
> ~[java.security.jgss:?] at
> com.sun.security.sasl.gsskerb.GssKrb5Client.evaluateChallenge(GssKrb5Client.java:209)
> ~[jdk.security.jgss:?] ... 63 more{code}
> Could someone, having worked on this, tell if any other config needs to be
> added/updated? The existing Ranger authorization at HS2 level worked fine
> earlier, and I wish to verify for HMS side.
>
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
