[jira] [Commented] (HIVE-7443) Fix HiveConnection to communicate with Kerberized Hive JDBC server and alternative JDKs

Fri, 17 Jun 2016 12:24:40 -0700 

    [ 
https://issues.apache.org/jira/browse/HIVE-7443?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15336766#comment-15336766
 ] 

Aihua Xu commented on HIVE-7443:
--------------------------------

Thanks Chaoyu for reviewing the code.

I changed to use UserGroupInformation.getCurrentUser() instead of 
getLoginUser() which also works for the case of fromSubject. So if the JDBC 
client does the login, then JDBC will get the credential from the subject. We 
don't separate logic for different JDKs, the same logic works for both of them. 

> Fix HiveConnection to communicate with Kerberized Hive JDBC server and 
> alternative JDKs
> ---------------------------------------------------------------------------------------
>
>                 Key: HIVE-7443
>                 URL: https://issues.apache.org/jira/browse/HIVE-7443
>             Project: Hive
>          Issue Type: Bug
>          Components: JDBC, Security
>    Affects Versions: 0.12.0, 0.13.1
>         Environment: Kerberos
> Run Hive server2 and client with IBM JDK7.1
>            Reporter: Yu Gao
>            Assignee: Aihua Xu
>         Attachments: HIVE-7443.2.patch, HIVE-7443.patch
>
>
> Hive Kerberos authentication has been enabled in my cluster. I ran kinit to 
> initialize the current login user's ticket cache successfully, and then tried 
> to use beeline to connect to Hive Server2, but failed. After I manually added 
> some logging to catch the failure exception, this is what I got that caused 
> the failure:
> beeline>  !connect 
> jdbc:hive2://<hiveserver.host>:10000/default;principal=hive/<hiveserver.host>@REALM.COM
>  org.apache.hive.jdbc.HiveDriver
> scan complete in 2ms
> Connecting to 
> jdbc:hive2://<hiveserver.host>:10000/default;principal=hive/<hiveserver.host>@REALM.COM
> Enter password for 
> jdbc:hive2://<hiveserver.host>:10000/default;principal=hive/<hiveserver.host>@REALM.COM:
> 14/07/17 15:12:45 ERROR jdbc.HiveConnection: Failed to open client transport
> javax.security.sasl.SaslException: Failed to open client transport [Caused by 
> java.io.IOException: Could not instantiate SASL transport]
>         at 
> org.apache.hive.service.auth.KerberosSaslHelper.getKerberosTransport(KerberosSaslHelper.java:78)
>         at 
> org.apache.hive.jdbc.HiveConnection.createBinaryTransport(HiveConnection.java:342)
>         at 
> org.apache.hive.jdbc.HiveConnection.openTransport(HiveConnection.java:200)
>         at org.apache.hive.jdbc.HiveConnection.<init>(HiveConnection.java:178)
>         at org.apache.hive.jdbc.HiveDriver.connect(HiveDriver.java:105)
>         at java.sql.DriverManager.getConnection(DriverManager.java:582)
>         at java.sql.DriverManager.getConnection(DriverManager.java:198)
>         at 
> org.apache.hive.beeline.DatabaseConnection.connect(DatabaseConnection.java:145)
>         at 
> org.apache.hive.beeline.DatabaseConnection.getConnection(DatabaseConnection.java:186)
>         at org.apache.hive.beeline.Commands.connect(Commands.java:959)
>         at org.apache.hive.beeline.Commands.connect(Commands.java:880)
>         at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
>         at 
> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:94)
>         at 
> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:55)
>         at java.lang.reflect.Method.invoke(Method.java:619)
>         at 
> org.apache.hive.beeline.ReflectiveCommandHandler.execute(ReflectiveCommandHandler.java:44)
>         at org.apache.hive.beeline.BeeLine.dispatch(BeeLine.java:801)
>         at org.apache.hive.beeline.BeeLine.begin(BeeLine.java:659)
>         at 
> org.apache.hive.beeline.BeeLine.mainWithInputRedirection(BeeLine.java:368)
>         at org.apache.hive.beeline.BeeLine.main(BeeLine.java:351)
>         at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
>         at 
> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:94)
>         at 
> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:55)
>         at java.lang.reflect.Method.invoke(Method.java:619)
>         at org.apache.hadoop.util.RunJar.main(RunJar.java:212)
> Caused by: java.io.IOException: Could not instantiate SASL transport
>         at 
> org.apache.hadoop.hive.thrift.HadoopThriftAuthBridge20S$Client.createClientTransport(HadoopThriftAuthBridge20S.java:177)
>         at 
> org.apache.hive.service.auth.KerberosSaslHelper.getKerberosTransport(KerberosSaslHelper.java:74)
>         ... 24 more
> Caused by: javax.security.sasl.SaslException: Failure to initialize security 
> context [Caused by org.ietf.jgss.GSSException, major code: 13, minor code: 0
>         major string: Invalid credentials
>         minor string: SubjectCredFinder: no JAAS Subject]
>         at 
> com.ibm.security.sasl.gsskerb.GssKrb5Client.<init>(GssKrb5Client.java:131)
>         at 
> com.ibm.security.sasl.gsskerb.FactoryImpl.createSaslClient(FactoryImpl.java:53)
>         at javax.security.sasl.Sasl.createSaslClient(Sasl.java:362)
>         at 
> org.apache.thrift.transport.TSaslClientTransport.<init>(TSaslClientTransport.java:72)
>         at 
> org.apache.hadoop.hive.thrift.HadoopThriftAuthBridge20S$Client.createClientTransport(HadoopThriftAuthBridge20S.java:169)
>         ... 25 more
> Caused by: org.ietf.jgss.GSSException, major code: 13, minor code: 0
>         major string: Invalid credentials
>         minor string: SubjectCredFinder: no JAAS Subject
>         at 
> com.ibm.security.jgss.i18n.I18NException.throwGSSException(I18NException.java:83)
>         at 
> com.ibm.security.jgss.mech.krb5.Krb5Credential$SubjectCredFinder.run(Krb5Credential.java:1126)
>         at 
> java.security.AccessController.doPrivileged(AccessController.java:330)
>         at 
> com.ibm.security.jgss.mech.krb5.Krb5Credential.getClientCredsFromSubject(Krb5Credential.java:816)
>         at 
> com.ibm.security.jgss.mech.krb5.Krb5Credential.getCredentials(Krb5Credential.java:388)
>         at 
> com.ibm.security.jgss.mech.krb5.Krb5Credential.init(Krb5Credential.java:196)
>         at 
> com.ibm.security.jgss.mech.krb5.Krb5Credential.<init>(Krb5Credential.java:168)
>         at 
> com.ibm.security.jgss.mech.krb5.Krb5MechFactory.getCredentialElement(Krb5MechFactory.java:123)
>         at 
> com.ibm.security.jgss.GSSManagerImpl.createMechCredential(GSSManagerImpl.java:294)
>         at 
> com.ibm.security.jgss.GSSCredentialImpl.add(GSSCredentialImpl.java:137)
>         at 
> com.ibm.security.jgss.GSSCredentialImpl.<init>(GSSCredentialImpl.java:69)
>         at 
> com.ibm.security.jgss.GSSManagerImpl.createCredential(GSSManagerImpl.java:169)
>         at com.ibm.security.jgss.GSSContextImpl.init(GSSContextImpl.java:157)
>         at 
> com.ibm.security.jgss.GSSContextImpl.<init>(GSSContextImpl.java:102)
>         at 
> com.ibm.security.jgss.GSSManagerImpl.createContext(GSSManagerImpl.java:183)
>         at 
> com.ibm.security.sasl.gsskerb.GssKrb5Client.<init>(GssKrb5Client.java:110)
>         ... 29 more
> Error: Invalid URL: 
> jdbc:hive2://<hiveserver.host>:10000/default;principal=hive/<hiveserver.host>@REALM.COM
>  (state=08S01,code=0)



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to