Hello,
I wonder if you can help me please. I've set up a pre-production Atlas
server (I have tried 2.2 and I am currently on 3.0.0-SNAPSHOT) and I'm
attempting to import metadata from Hive with the import-hive.sh script.
Our Hive instance is Kerberized and whatever I do I cannot seem to
connect successfully.
I cannot get past this error in logs/import-hive.log
2022-01-18 15:27:12,539 ERROR - [main:] ~ SASL negotiation failure
(TSaslTransport:315)
javax.security.sasl.SaslException: GSS initiate failed [Caused by
GSSException: No valid credentials provided (Mechanism level: Failed to
find any Kerberos tgt)]
I have the following configured in the bin/import-hive.sh script in
order to attempt a JAAS login.
JVM_ARGS=-Djavax.security.auth.useSubjectCredsOnly=false
-Djava.security.auth.login.config=conf/jaas_hive.conf
-Djava.security.krb5.conf=/etc/krb5.conf -Dsun.security.krb5.debug=true
-Djava.security.debug=gssloginconfig,configfile,configparser,logincontext
The jaas_hive.conf file contains the following:
com.sun.security.jgss.krb5.initiate {
com.sun.security.auth.module.Krb5LoginModule required
useKeyTab=true
useTicketCache=false
doNotPrompt=true
keytab="/etc/security/keytabs/hive.keytab"
principal="hive/fully.qualified.host.name@REALM"
debug=true;
};
I've also tried setting various settings in a jaas-application.conf file
as mentioned here: https://atlas.apache.org/#/Security
...but neither approach seems to affect the output from the script at
all. I don't get any more debug information and I can't see any
reference to attempting to use the keytab supplied.
It seems to be potentially similar to this issue that was created 4 days
ago: https://issues.apache.org/jira/browse/ATLAS-4535
If anyone has any insight as to where I am going wrong in my
configuration, or steps that might help me to overcome this issue, I'd
be grateful.
Kind regards,
Ben Tullis
--
*Ben Tullis*(he/him)
Senior Site Reliability Engineer
Wikimedia Foundation <https://wikimediafoundation.org/>
