[
https://issues.apache.org/jira/browse/HIVE-29615?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Venugopal Reddy K updated HIVE-29615:
-------------------------------------
Description:
*[Description]*
The Hive Metastore cannot establish an RPC connection to the HDFS NameNode. The
connection is dropped during the Kerberos SASL handshake because of conflicting
Quality of Protection (QOP) configurations between the client and the server.
*HDFS NameNode (Server):* Configured with {{hadoop.rpc.protection = privacy}}
(requires encrypted traffic).
*Hive Metastore (Client):* When {{hadoop.rpc.protection configuration is
detected, it overrides it with authentication}} (only validates identity).
As a result, SASL layer throws {{SaslException: No common protection layer
between client and server}} because the client refuses to encrypt traffic,
while the server mandates it.
{code:java}
2026-05-14 10:35:54,420 ERROR
org.apache.hadoop.hive.metastore.utils.MetaStoreUtils: [TThreadPoolServer
WorkerProcess-13]: Got exception: javax.security.sasl.SaslException
DestHost:destPort mycluster:8020 , LocalHost:localPort
mycluster/10.140.114.1:0. Failed on local exception:
javax.security.sasl.SaslException: No common protection layer between client
and server
javax.security.sasl.SaslException: DestHost:destPort mycluster:8020 ,
LocalHost:localPort mycluster/10.140.114.1:0. Failed on local exception:
javax.security.sasl.SaslException: No common protection layer between client
and server
at org.apache.hadoop.ipc.Client.getRpcResponse(Client.java:1584)
at org.apache.hadoop.ipc.Client.call(Client.java:1529)
at org.apache.hadoop.ipc.Client.call(Client.java:1426)
at
org.apache.hadoop.ipc.ProtobufRpcEngine2$Invoker.invoke(ProtobufRpcEngine2.java:258)
at
org.apache.hadoop.ipc.ProtobufRpcEngine2$Invoker.invoke(ProtobufRpcEngine2.java:139)
at jdk.proxy2.$Proxy34.getFileInfo(Unknown Source)
at
org.apache.hadoop.hdfs.protocolPB.ClientNamenodeProtocolTranslatorPB.lambda$getFileInfo$41(ClientNamenodeProtocolTranslatorPB.java:820)
at
org.apache.hadoop.ipc.internal.ShadedProtobufHelper.ipc(ShadedProtobufHelper.java:160)
at
org.apache.hadoop.hdfs.protocolPB.ClientNamenodeProtocolTranslatorPB.getFileInfo(ClientNamenodeProtocolTranslatorPB.java:820)
at jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at
jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:77)
at
jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:568)
at
org.apache.hadoop.io.retry.RetryInvocationHandler.invokeMethod(RetryInvocationHandler.java:437)
at
org.apache.hadoop.io.retry.RetryInvocationHandler$Call.invokeMethod(RetryInvocationHandler.java:170)
at
org.apache.hadoop.io.retry.RetryInvocationHandler$Call.invoke(RetryInvocationHandler.java:162)
at
org.apache.hadoop.io.retry.RetryInvocationHandler$Call.invokeOnce(RetryInvocationHandler.java:100)
at
org.apache.hadoop.io.retry.RetryInvocationHandler.invoke(RetryInvocationHandler.java:366)
at jdk.proxy2.$Proxy35.getFileInfo(Unknown Source)
at org.apache.hadoop.hdfs.DFSClient.getFileInfo(DFSClient.java:1776)
at
org.apache.hadoop.hdfs.DistributedFileSystem$29.doCall(DistributedFileSystem.java:1838)
at
org.apache.hadoop.hdfs.DistributedFileSystem$29.doCall(DistributedFileSystem.java:1835)
at
org.apache.hadoop.fs.FileSystemLinkResolver.resolve(FileSystemLinkResolver.java:81)
at
org.apache.hadoop.hdfs.DistributedFileSystem.getFileStatus(DistributedFileSystem.java:1850)
at org.apache.hadoop.hive.metastore.Warehouse.isDir(Warehouse.java:861)
{code}
{code:java}
javax.security.sasl.SaslException: No common protection layer between client
and server
at
com.sun.security.sasl.gsskerb.GssKrb5Client.doFinalHandshake(GssKrb5Client.java:270)
~[jdk.security.jgss:?]
at
com.sun.security.sasl.gsskerb.GssKrb5Client.evaluateChallenge(GssKrb5Client.java:203)
~[jdk.security.jgss:?]
at
org.apache.hadoop.security.SaslRpcClient.saslEvaluateToken(SaslRpcClient.java:489)
at
org.apache.hadoop.security.SaslRpcClient.saslConnect(SaslRpcClient.java:431){code}
was:
*[Description]*
The Hive Metastore cannot establish an RPC connection to the HDFS NameNode. The
connection is dropped during the Kerberos SASL handshake because of conflicting
Quality of Protection (QOP) configurations between the client and the server.
*HDFS NameNode (Server):* Configured with {{hadoop.rpc.protection = privacy}}
(requires encrypted traffic).
*Hive Metastore (Client):* When {{hadoop.rpc.protection configuration is
detected, it overrides it with authentication}} (only validates identity).
As a result, SASL layer throws {{SaslException: No common protection layer
between client and server}} because the client refuses to encrypt traffic,
while the server mandates it.
{code:java}
2026-05-14 10:35:54,420 ERROR
org.apache.hadoop.hive.metastore.utils.MetaStoreUtils: [TThreadPoolServer
WorkerProcess-13]: Got exception: javax.security.sasl.SaslException
DestHost:destPort mycluster:8020 , LocalHost:localPort
mycluster/10.140.114.1:0. Failed on local exception:
javax.security.sasl.SaslException: No common protection layer between client
and server
javax.security.sasl.SaslException: DestHost:destPort mycluster:8020 ,
LocalHost:localPort mycluster/10.140.114.1:0. Failed on local exception:
javax.security.sasl.SaslException: No common protection layer between client
and server
at org.apache.hadoop.ipc.Client.getRpcResponse(Client.java:1584)
at org.apache.hadoop.ipc.Client.call(Client.java:1529)
at org.apache.hadoop.ipc.Client.call(Client.java:1426)
at
org.apache.hadoop.ipc.ProtobufRpcEngine2$Invoker.invoke(ProtobufRpcEngine2.java:258)
at
org.apache.hadoop.ipc.ProtobufRpcEngine2$Invoker.invoke(ProtobufRpcEngine2.java:139)
at jdk.proxy2.$Proxy34.getFileInfo(Unknown Source)
at
org.apache.hadoop.hdfs.protocolPB.ClientNamenodeProtocolTranslatorPB.lambda$getFileInfo$41(ClientNamenodeProtocolTranslatorPB.java:820)
at
org.apache.hadoop.ipc.internal.ShadedProtobufHelper.ipc(ShadedProtobufHelper.java:160)
at
org.apache.hadoop.hdfs.protocolPB.ClientNamenodeProtocolTranslatorPB.getFileInfo(ClientNamenodeProtocolTranslatorPB.java:820)
at jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at
jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:77)
at
jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:568)
at
org.apache.hadoop.io.retry.RetryInvocationHandler.invokeMethod(RetryInvocationHandler.java:437)
at
org.apache.hadoop.io.retry.RetryInvocationHandler$Call.invokeMethod(RetryInvocationHandler.java:170)
at
org.apache.hadoop.io.retry.RetryInvocationHandler$Call.invoke(RetryInvocationHandler.java:162)
at
org.apache.hadoop.io.retry.RetryInvocationHandler$Call.invokeOnce(RetryInvocationHandler.java:100)
at
org.apache.hadoop.io.retry.RetryInvocationHandler.invoke(RetryInvocationHandler.java:366)
at jdk.proxy2.$Proxy35.getFileInfo(Unknown Source)
at org.apache.hadoop.hdfs.DFSClient.getFileInfo(DFSClient.java:1776)
at
org.apache.hadoop.hdfs.DistributedFileSystem$29.doCall(DistributedFileSystem.java:1838)
at
org.apache.hadoop.hdfs.DistributedFileSystem$29.doCall(DistributedFileSystem.java:1835)
at
org.apache.hadoop.fs.FileSystemLinkResolver.resolve(FileSystemLinkResolver.java:81)
at
org.apache.hadoop.hdfs.DistributedFileSystem.getFileStatus(DistributedFileSystem.java:1850)
at org.apache.hadoop.hive.metastore.Warehouse.isDir(Warehouse.java:861)
{code}
{code:java}
javax.security.sasl.SaslException: No common protection layer between client
and server
at
com.sun.security.sasl.gsskerb.GssKrb5Client.doFinalHandshake(GssKrb5Client.java:270)
~[jdk.security.jgss:?]
at
com.sun.security.sasl.gsskerb.GssKrb5Client.evaluateChallenge(GssKrb5Client.java:203)
~[jdk.security.jgss:?]
at
org.apache.hadoop.security.SaslRpcClient.saslEvaluateToken(SaslRpcClient.java:489)
at
org.apache.hadoop.security.SaslRpcClient.saslConnect(SaslRpcClient.java:431){code}
> Hive Metastore fails to connect to NameNode due to SASL hadoop.rpc.protection
> mismatch (Client: authentication vs Server: privacy)
> ----------------------------------------------------------------------------------------------------------------------------------
>
> Key: HIVE-29615
> URL: https://issues.apache.org/jira/browse/HIVE-29615
> Project: Hive
> Issue Type: Bug
> Components: Metastore, Security, Standalone Metastore
> Reporter: Venugopal Reddy K
> Assignee: Venugopal Reddy K
> Priority: Major
>
> *[Description]*
> The Hive Metastore cannot establish an RPC connection to the HDFS NameNode.
> The connection is dropped during the Kerberos SASL handshake because of
> conflicting Quality of Protection (QOP) configurations between the client and
> the server.
> *HDFS NameNode (Server):* Configured with {{hadoop.rpc.protection = privacy}}
> (requires encrypted traffic).
> *Hive Metastore (Client):* When {{hadoop.rpc.protection configuration is
> detected, it overrides it with authentication}} (only validates identity).
> As a result, SASL layer throws {{SaslException: No common protection layer
> between client and server}} because the client refuses to encrypt traffic,
> while the server mandates it.
> {code:java}
> 2026-05-14 10:35:54,420 ERROR
> org.apache.hadoop.hive.metastore.utils.MetaStoreUtils: [TThreadPoolServer
> WorkerProcess-13]: Got exception: javax.security.sasl.SaslException
> DestHost:destPort mycluster:8020 , LocalHost:localPort
> mycluster/10.140.114.1:0. Failed on local exception:
> javax.security.sasl.SaslException: No common protection layer between client
> and server
> javax.security.sasl.SaslException: DestHost:destPort mycluster:8020 ,
> LocalHost:localPort mycluster/10.140.114.1:0. Failed on local exception:
> javax.security.sasl.SaslException: No common protection layer between client
> and server
> at org.apache.hadoop.ipc.Client.getRpcResponse(Client.java:1584)
> at org.apache.hadoop.ipc.Client.call(Client.java:1529)
> at org.apache.hadoop.ipc.Client.call(Client.java:1426)
> at
> org.apache.hadoop.ipc.ProtobufRpcEngine2$Invoker.invoke(ProtobufRpcEngine2.java:258)
> at
> org.apache.hadoop.ipc.ProtobufRpcEngine2$Invoker.invoke(ProtobufRpcEngine2.java:139)
> at jdk.proxy2.$Proxy34.getFileInfo(Unknown Source)
> at
> org.apache.hadoop.hdfs.protocolPB.ClientNamenodeProtocolTranslatorPB.lambda$getFileInfo$41(ClientNamenodeProtocolTranslatorPB.java:820)
> at
> org.apache.hadoop.ipc.internal.ShadedProtobufHelper.ipc(ShadedProtobufHelper.java:160)
> at
> org.apache.hadoop.hdfs.protocolPB.ClientNamenodeProtocolTranslatorPB.getFileInfo(ClientNamenodeProtocolTranslatorPB.java:820)
> at jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
> at
> jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:77)
> at
> jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
> at java.lang.reflect.Method.invoke(Method.java:568)
> at
> org.apache.hadoop.io.retry.RetryInvocationHandler.invokeMethod(RetryInvocationHandler.java:437)
> at
> org.apache.hadoop.io.retry.RetryInvocationHandler$Call.invokeMethod(RetryInvocationHandler.java:170)
> at
> org.apache.hadoop.io.retry.RetryInvocationHandler$Call.invoke(RetryInvocationHandler.java:162)
> at
> org.apache.hadoop.io.retry.RetryInvocationHandler$Call.invokeOnce(RetryInvocationHandler.java:100)
> at
> org.apache.hadoop.io.retry.RetryInvocationHandler.invoke(RetryInvocationHandler.java:366)
> at jdk.proxy2.$Proxy35.getFileInfo(Unknown Source)
> at org.apache.hadoop.hdfs.DFSClient.getFileInfo(DFSClient.java:1776)
> at
> org.apache.hadoop.hdfs.DistributedFileSystem$29.doCall(DistributedFileSystem.java:1838)
> at
> org.apache.hadoop.hdfs.DistributedFileSystem$29.doCall(DistributedFileSystem.java:1835)
> at
> org.apache.hadoop.fs.FileSystemLinkResolver.resolve(FileSystemLinkResolver.java:81)
>
> at
> org.apache.hadoop.hdfs.DistributedFileSystem.getFileStatus(DistributedFileSystem.java:1850)
> at org.apache.hadoop.hive.metastore.Warehouse.isDir(Warehouse.java:861)
> {code}
>
> {code:java}
> javax.security.sasl.SaslException: No common protection layer between client
> and server
> at
> com.sun.security.sasl.gsskerb.GssKrb5Client.doFinalHandshake(GssKrb5Client.java:270)
> ~[jdk.security.jgss:?]
> at
> com.sun.security.sasl.gsskerb.GssKrb5Client.evaluateChallenge(GssKrb5Client.java:203)
> ~[jdk.security.jgss:?]
> at
> org.apache.hadoop.security.SaslRpcClient.saslEvaluateToken(SaslRpcClient.java:489)
> at
> org.apache.hadoop.security.SaslRpcClient.saslConnect(SaslRpcClient.java:431){code}
>
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
