[
https://issues.apache.org/jira/browse/HIVE-29306?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
ASF GitHub Bot updated HIVE-29306:
----------------------------------
Labels: pull-request-available (was: )
> GSSException encountered during HMS Ranger authorization
> --------------------------------------------------------
>
> Key: HIVE-29306
> URL: https://issues.apache.org/jira/browse/HIVE-29306
> Project: Hive
> Issue Type: Bug
> Reporter: Kiran Velumuri
> Priority: Minor
> Labels: pull-request-available
>
> I was testing out Ranger authorization from HMS side by adding the below
> configs to my Kerberised Ambari managed cluster(Hive 4.0.1, Ranger v2.6.0):
>
> {noformat}
> General
> hive.security.metastore.authorization.manager=org.apache.ranger.authorization.hive.authorizer.RangerHiveAuthorizerFactory
> Advanced hive-site
> hive.metastore.pre.event.listeners=org.apache.hadoop.hive.ql.security.authorization.plugin.metastore.HiveMetaStoreAuthorizer
> Custom hivemetastore-site
> hive.security.authorization.enabled=true
> hive.security.authorization.manager=org.apache.ranger.authorization.hive.authorizer.RangerHiveAuthorizerFactory
> {noformat}
>
> I invoked the spark-sql shell to verify if this is working, but was faced
> with below Kerberos related error when ranger/RangerHiveAuthorizer tries to
> make a HMS client connection:
> {code:java}
> 2025-11-06T10:09:01,232 ERROR [Metastore-Handler-Pool: Thread-8483]:
> transport.TSaslTransport (TSaslTransport.java:open(280)) - SASL negotiation
> failurejavax.security.sasl.SaslException: GSS initiate failed at
> com.sun.security.sasl.gsskerb.GssKrb5Client.evaluateChallenge(GssKrb5Client.java:228)
> ~[jdk.security.jgss:?] at
> org.apache.thrift.transport.TSaslClientTransport.handleSaslStartMessage(TSaslClientTransport.java:96)
> ~[hive-exec-4.0.1.3.4.1.0-4.jar:4.0.1.3.4.1.0-4] at
> org.apache.thrift.transport.TSaslTransport.open(TSaslTransport.java:238)
> ~[hive-exec-4.0.1.3.4.1.0-4.jar:4.0.1.3.4.1.0-4] at
> org.apache.thrift.transport.TSaslClientTransport.open(TSaslClientTransport.java:39)
> ~[hive-exec-4.0.1.3.4.1.0-4.jar:4.0.1.3.4.1.0-4] at
> org.apache.hadoop.hive.metastore.security.TUGIAssumingTransport$1.run(TUGIAssumingTransport.java:51)
> ~[hive-exec-4.0.1.3.4.1.0-4.jar:4.0.1.3.4.1.0-4] at
> org.apache.hadoop.hive.metastore.security.TUGIAssumingTransport$1.run(TUGIAssumingTransport.java:48)
> ~[hive-exec-4.0.1.3.4.1.0-4.jar:4.0.1.3.4.1.0-4] at
> java.security.AccessController.doPrivileged(AccessController.java:712) ~[?:?]
> at javax.security.auth.Subject.doAs(Subject.java:439) ~[?:?] at
> org.apache.hadoop.security.UserGroupInformation.doAs(UserGroupInformation.java:1953)
> ~[hadoop-common-3.4.1.3.4.1.0-4.jar:?] at
> org.apache.hadoop.hive.metastore.security.TUGIAssumingTransport.open(TUGIAssumingTransport.java:48)
> ~[hive-exec-4.0.1.3.4.1.0-4.jar:4.0.1.3.4.1.0-4] at
> org.apache.hadoop.hive.metastore.HiveMetaStoreClient.open(HiveMetaStoreClient.java:823)
> ~[hive-exec-4.0.1.3.4.1.0-4.jar:4.0.1.3.4.1.0-4] at
> org.apache.hadoop.hive.metastore.HiveMetaStoreClient.<init>(HiveMetaStoreClient.java:282)
> ~[hive-exec-4.0.1.3.4.1.0-4.jar:4.0.1.3.4.1.0-4] at
> org.apache.hadoop.hive.ql.metadata.HiveMetaStoreClientWithLocalCache.<init>(HiveMetaStoreClientWithLocalCache.java:118)
> ~[hive-exec-4.0.1.3.4.1.0-4.jar:4.0.1.3.4.1.0-4] at
> org.apache.hadoop.hive.ql.metadata.SessionHiveMetaStoreClient.<init>(SessionHiveMetaStoreClient.java:156)
> ~[hive-exec-4.0.1.3.4.1.0-4.jar:4.0.1.3.4.1.0-4] at
> jdk.internal.reflect.NativeConstructorAccessorImpl.newInstance0(Native
> Method) ~[?:?] at
> jdk.internal.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:77)
> ~[?:?] at
> jdk.internal.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
> ~[?:?] at
> java.lang.reflect.Constructor.newInstanceWithCaller(Constructor.java:500)
> ~[?:?] at java.lang.reflect.Constructor.newInstance(Constructor.java:481)
> ~[?:?] at
> org.apache.hadoop.hive.metastore.utils.JavaUtils.newInstance(JavaUtils.java:87)
> ~[hive-exec-4.0.1.3.4.1.0-4.jar:4.0.1.3.4.1.0-4] at
> org.apache.hadoop.hive.metastore.RetryingMetaStoreClient.<init>(RetryingMetaStoreClient.java:96)
> ~[hive-exec-4.0.1.3.4.1.0-4.jar:4.0.1.3.4.1.0-4] at
> org.apache.hadoop.hive.metastore.RetryingMetaStoreClient.getProxy(RetryingMetaStoreClient.java:149)
> ~[hive-exec-4.0.1.3.4.1.0-4.jar:4.0.1.3.4.1.0-4] at
> org.apache.hadoop.hive.metastore.RetryingMetaStoreClient.getProxy(RetryingMetaStoreClient.java:120)
> ~[hive-exec-4.0.1.3.4.1.0-4.jar:4.0.1.3.4.1.0-4] at
> org.apache.hadoop.hive.ql.metadata.Hive.createMetaStoreClient(Hive.java:5948)
> ~[hive-exec-4.0.1.3.4.1.0-4.jar:4.0.1.3.4.1.0-4] at
> org.apache.hadoop.hive.ql.metadata.Hive.getMSC(Hive.java:6036)
> ~[hive-exec-4.0.1.3.4.1.0-4.jar:4.0.1.3.4.1.0-4] at
> org.apache.hadoop.hive.ql.metadata.Hive.getMSC(Hive.java:6016)
> ~[hive-exec-4.0.1.3.4.1.0-4.jar:4.0.1.3.4.1.0-4] at
> org.apache.hadoop.hive.ql.metadata.Hive.getAllFunctions(Hive.java:6361)
> ~[hive-exec-4.0.1.3.4.1.0-4.jar:4.0.1.3.4.1.0-4] at
> org.apache.hadoop.hive.ql.metadata.Hive.reloadFunctions(Hive.java:370)
> ~[hive-exec-4.0.1.3.4.1.0-4.jar:4.0.1.3.4.1.0-4] at
> org.apache.hadoop.hive.ql.metadata.Hive.registerAllFunctionsOnce(Hive.java:349)
> ~[hive-exec-4.0.1.3.4.1.0-4.jar:4.0.1.3.4.1.0-4] at
> org.apache.hadoop.hive.ql.metadata.Hive.<init>(Hive.java:575)
> ~[hive-exec-4.0.1.3.4.1.0-4.jar:4.0.1.3.4.1.0-4] at
> org.apache.hadoop.hive.ql.metadata.Hive.create(Hive.java:467)
> ~[hive-exec-4.0.1.3.4.1.0-4.jar:4.0.1.3.4.1.0-4] at
> org.apache.hadoop.hive.ql.metadata.Hive.getInternal(Hive.java:454)
> ~[hive-exec-4.0.1.3.4.1.0-4.jar:4.0.1.3.4.1.0-4] at
> org.apache.hadoop.hive.ql.metadata.Hive.get(Hive.java:539)
> ~[hive-exec-4.0.1.3.4.1.0-4.jar:4.0.1.3.4.1.0-4] at
> org.apache.hadoop.hive.ql.metadata.Hive.get(Hive.java:528)
> ~[hive-exec-4.0.1.3.4.1.0-4.jar:4.0.1.3.4.1.0-4] at
> org.apache.hadoop.hive.ql.security.authorization.plugin.HiveMetastoreClientFactoryImpl.getHiveMetastoreClient(HiveMetastoreClientFactoryImpl.java:36)
> ~[hive-exec-4.0.1.3.4.1.0-4.jar:4.0.1.3.4.1.0-4] at
> org.apache.ranger.authorization.hive.authorizer.RangerHiveAuthorizer.getMetaStoreClient(RangerHiveAuthorizer.java:3313)
> ~[?:?] at
> org.apache.ranger.authorization.hive.authorizer.RangerHiveAuthorizer.getHiveResource(RangerHiveAuthorizer.java:1598)
> ~[?:?] at
> org.apache.ranger.authorization.hive.authorizer.RangerHiveAuthorizer.checkPrivileges(RangerHiveAuthorizer.java:853)
> ~[?:?] at
> org.apache.hadoop.hive.ql.security.authorization.plugin.metastore.HiveMetaStoreAuthorizer.checkPrivileges(HiveMetaStoreAuthorizer.java:578)
> ~[hive-exec-4.0.1.3.4.1.0-4.jar:4.0.1.3.4.1.0-4] at
> org.apache.hadoop.hive.ql.security.authorization.plugin.metastore.HiveMetaStoreAuthorizer.onEvent(HiveMetaStoreAuthorizer.java:111)
> ~[hive-exec-4.0.1.3.4.1.0-4.jar:4.0.1.3.4.1.0-4] at
> org.apache.hadoop.hive.metastore.HMSHandler.firePreEvent(HMSHandler.java:3984)
> ~[hive-exec-4.0.1.3.4.1.0-4.jar:4.0.1.3.4.1.0-4] at
> org.apache.hadoop.hive.metastore.HMSHandler.get_database_req(HMSHandler.java:1410)
> ~[hive-exec-4.0.1.3.4.1.0-4.jar:4.0.1.3.4.1.0-4] at
> org.apache.hadoop.hive.metastore.HMSHandler.get_database(HMSHandler.java:1380)
> ~[hive-exec-4.0.1.3.4.1.0-4.jar:4.0.1.3.4.1.0-4] at
> jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method) ~[?:?]
> at
> jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:77)
> ~[?:?] at
> jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
> ~[?:?] at java.lang.reflect.Method.invoke(Method.java:569) ~[?:?]
> at
> org.apache.hadoop.hive.metastore.RetryingHMSHandler.invokeInternal(RetryingHMSHandler.java:91)
> ~[hive-exec-4.0.1.3.4.1.0-4.jar:4.0.1.3.4.1.0-4] at
> org.apache.hadoop.hive.metastore.AbstractHMSHandlerProxy.invoke(AbstractHMSHandlerProxy.java:82)
> ~[hive-exec-4.0.1.3.4.1.0-4.jar:4.0.1.3.4.1.0-4] at
> jdk.proxy2.$Proxy31.get_database(Unknown Source) ~[?:?] at
> org.apache.hadoop.hive.metastore.api.ThriftHiveMetastore$Processor$get_database.getResult(ThriftHiveMetastore.java:18900)
> ~[hive-exec-4.0.1.3.4.1.0-4.jar:4.0.1.3.4.1.0-4] at
> org.apache.hadoop.hive.metastore.api.ThriftHiveMetastore$Processor$get_database.getResult(ThriftHiveMetastore.java:18879)
> ~[hive-exec-4.0.1.3.4.1.0-4.jar:4.0.1.3.4.1.0-4] at
> org.apache.thrift.ProcessFunction.process(ProcessFunction.java:38)
> ~[hive-exec-4.0.1.3.4.1.0-4.jar:4.0.1.3.4.1.0-4] at
> org.apache.thrift.TBaseProcessor.process(TBaseProcessor.java:38)
> ~[hive-exec-4.0.1.3.4.1.0-4.jar:4.0.1.3.4.1.0-4] at
> org.apache.hadoop.hive.metastore.security.HadoopThriftAuthBridge$Server$TUGIAssumingProcessor$1.run(HadoopThriftAuthBridge.java:646)
> ~[hive-exec-4.0.1.3.4.1.0-4.jar:4.0.1.3.4.1.0-4] at
> org.apache.hadoop.hive.metastore.security.HadoopThriftAuthBridge$Server$TUGIAssumingProcessor$1.run(HadoopThriftAuthBridge.java:641)
> ~[hive-exec-4.0.1.3.4.1.0-4.jar:4.0.1.3.4.1.0-4] at
> java.security.AccessController.doPrivileged(AccessController.java:712) ~[?:?]
> at javax.security.auth.Subject.doAs(Subject.java:439) ~[?:?] at
> org.apache.hadoop.security.UserGroupInformation.doAs(UserGroupInformation.java:1953)
> ~[hadoop-common-3.4.1.3.4.1.0-4.jar:?] at
> org.apache.hadoop.hive.metastore.security.HadoopThriftAuthBridge$Server$TUGIAssumingProcessor.process(HadoopThriftAuthBridge.java:641)
> ~[hive-exec-4.0.1.3.4.1.0-4.jar:4.0.1.3.4.1.0-4] at
> org.apache.thrift.server.TThreadPoolServer$WorkerProcess.run(TThreadPoolServer.java:250)
> ~[hive-exec-4.0.1.3.4.1.0-4.jar:4.0.1.3.4.1.0-4] at
> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1136)
> ~[?:?] at
> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:635)
> ~[?:?] at java.lang.Thread.run(Thread.java:840) ~[?:?]Caused by:
> org.ietf.jgss.GSSException: No valid credentials provided (Mechanism level:
> Failed to find any Kerberos tgt) at
> sun.security.jgss.krb5.Krb5InitCredential.getInstance(Krb5InitCredential.java:166)
> ~[java.security.jgss:?] at
> sun.security.jgss.krb5.Krb5MechFactory.getCredentialElement(Krb5MechFactory.java:126)
> ~[java.security.jgss:?] at
> sun.security.jgss.krb5.Krb5MechFactory.getMechanismContext(Krb5MechFactory.java:195)
> ~[java.security.jgss:?] at
> sun.security.jgss.GSSManagerImpl.getMechanismContext(GSSManagerImpl.java:205)
> ~[java.security.jgss:?] at
> sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:230)
> ~[java.security.jgss:?] at
> sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:196)
> ~[java.security.jgss:?] at
> com.sun.security.sasl.gsskerb.GssKrb5Client.evaluateChallenge(GssKrb5Client.java:209)
> ~[jdk.security.jgss:?] ... 63 more{code}
> The existing Ranger authorization at HS2 level worked fine earlier, and I
> wish to verify for HMS side. Could someone, having worked on this, tell if
> any other config needs to be added/updated? Thank you.
>
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
