Kerberized Hive 3 + LLAP cluster behind Knox gateway

Thu, 01 Jul 2021 00:30:08 -0700 

Hello Hive users,

I am trying to set up a Kerberized Hive 3 + LLAP cluster behind Knox
gateway. Few main Hive configurations I have set are
* `hive.server2.transport.mode=http`
* `hive.server2.authentication.kerberos.principal=HTTP/_HOST@<REALM>`
* `hive.llap.zk.registry.user=HTTP`
* `hive.server2.enable.doAs=false`

With these configurations, my HS2 server and LLAP daemons startup succeeds.

When I to submit a query, TezAM is able to discover LLAP daemons but when
it tries to submit the Tasks to LLAP daemons, using LLAP Task communicator,
it gets following Exception
`|security.UserGroupInformation|: PrivilegedActionException
as:HTTP/<HOST>@<REALM> (auth:SIMPLE)
cause:org.apache.hadoop.ipc.RemoteException(javax.security.sasl.SaslException):
DIGEST-MD5: digest response format violation. Mismatched response.`

On LLAP Daemon, I am getting the following logs:
DEBUG [main-SendThread() ()] org.apache.zookeeper.ClientCnxn: Reading reply
sessionid:0x###, packet:: clientPath:null serverPath:null finished:false
header:: 242,4  replyHeader:: 242,1664820,0  request::
'/zkdtsm_hive_llap0/ZKDTSMRoot/ZKDTSMTokensRoot/DT_17,F  response::
#xxxx,s{1664357,1664357,xxxx,xxxx,0,0,0,0,114,0,1664357}
DEBUG [Socket Reader #1 for port 0 ()]
org.apache.hadoop.security.SaslRpcServer: SASL server DIGEST-MD5 callback:
setting password for client: HTTP/<HOST>@<REALM> (auth:TOKEN)
DEBUG [Socket Reader #1 for port 0 ()] org.apache.hadoop.ipc.Server:
javax.security.sasl.SaslException: DIGEST-MD5: digest response format
violation. Mismatched response.
at
com.sun.security.sasl.digest.DigestMD5Server.validateClientResponse(DigestMD5Server.java:627)
at
com.sun.security.sasl.digest.DigestMD5Server.evaluateResponse(DigestMD5Server.java:244)
at
org.apache.hadoop.ipc.Server$Connection.processSaslToken(Server.java:2115)
at
org.apache.hadoop.ipc.Server$Connection.processSaslMessage(Server.java:2092)
at org.apache.hadoop.ipc.Server$Connection.saslProcess(Server.java:1984)
at
org.apache.hadoop.ipc.Server$Connection.saslReadAndProcess(Server.java:1926)
at
org.apache.hadoop.ipc.Server$Connection.processRpcOutOfBandRequest(Server.java:2724)
at org.apache.hadoop.ipc.Server$Connection.processOneRpc(Server.java:2526)
at org.apache.hadoop.ipc.Server$Connection.readAndProcess(Server.java:2275)
at org.apache.hadoop.ipc.Server$Listener.doRead(Server.java:1394)
at org.apache.hadoop.ipc.Server$Listener$Reader.doRunLoop(Server.java:1250)
at org.apache.hadoop.ipc.Server$Listener$Reader.run(Server.java:1221)


Have you tried to set up such a Kerberized Hive 3 + LLAP behind the Knox
gateway cluster ? Are my configurations correct ?
Have you faced the issue mentioned above and know of any workaround ?

Reply via email to