Beeline making a kerberos call to Hive via KNOX secured with HadoopAuth works just fine. So does webhdfs. Spotfire JDBC calls are an issue specifically going at Knox with HadoopAuth when going through HiveServer2 httpmode using kerberos it works just fine it only is broken with Spotfire JDBC and Knox everything else works
On Tue, Feb 21, 2017 at 3:02 PM, larry mccay <[email protected]> wrote: > Hi Greg - > > Sorry for the delayed response here... > > Let's try and remove Spotfire from the equation first. > Try getting a simple curl request to WebHDFS working with --negotiate > before moving on to Spotfire/JDBC access. > > Let me know what you see in the related logs for that interaction. > > thanks, > > --larry > > > On Fri, Feb 17, 2017 at 12:01 PM, Greg Senia <[email protected]> wrote: > >> Hi, >> >> Not sure if anyone has encountered this. We have a Hadoop Cluster that is >> secured behind firewalls and the cluster is kerberized and we would like to >> use Knox to allow access to HiveServer2 using the httpthrift service. We >> have Tibco Spotfire setup to allow kerberos delegation to occur to HS2 so >> that it makes the call with the users kerberos context to Knox (using >> HadoopAuth) mechanism which is proxying the request to HS2 (this fails). >> When we allow Tibco Spotfire setup to allow kerberos delegation to occur to >> HS2 directly without Knox this works. Is this a bug in Knox 0.9 or >> something that has not been supported. I’ve attached the config files which >> are scrubbed of identifying info. Let me know thoughts on this. Have >> performed lots of debug and basically the failing request to knox makes it >> all the way to HS2 but Knox is terminating the requests and causing Hive to >> fail. >> >> >> Error from Hive JDBC driver on SpotFire side this does not occur when >> going directly to HS2 with httpthrift only when going at Knox using Knox’s >> HadoopAuth plugin: >> >> ERROR 2017-02-16T23:59:42,571-0500 [EXAMPLE-CORP\GSS2002, #39, #473] >> api.common.InformationModelServiceCommon: Error retrieving metadata: >> org.apache.http.client.ClientProtocolException >> com.spotfire.ws.api.common.InformationModelWebServiceException: Error >> retrieving metadata: org.apache.http.client.ClientProtocolException >> at com.spotfire.ws.api.common.InformationModelServiceCommon.wra >> pException(InformationModelServiceCommon.java:135) >> at com.spotfire.ws.api.common.InformationModelServiceCommon.wra >> pException(InformationModelServiceCommon.java:69) >> at com.spotfire.ws.api.element.ElementManagerService.listDataSo >> urceElements(ElementManagerService.java:397) >> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) >> at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAcce >> ssorImpl.java:62) >> at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMe >> thodAccessorImpl.java:43) >> at java.lang.reflect.Method.invoke(Method.java:498) >> at org.apache.cxf.service.invoker.AbstractInvoker.performInvoca >> tion(AbstractInvoker.java:181) >> at org.apache.cxf.service.invoker.AbstractInvoker.invoke( >> AbstractInvoker.java:97) >> at org.apache.cxf.jaxws.AbstractJAXWSMethodInvoker.invoke(Abstr >> actJAXWSMethodInvoker.java:232) >> at org.apache.cxf.jaxws.JAXWSMethodInvoker.invoke(JAXWSMethodIn >> voker.java:69) >> at org.apache.cxf.service.invoker.AbstractInvoker.invoke( >> AbstractInvoker.java:75) >> at org.apache.cxf.interceptor.ServiceInvokerInterceptor$1.run( >> ServiceInvokerInterceptor.java:59) >> at java.util.concurrent.Executors$RunnableAdapter.call( >> Executors.java:511) >> at java.util.concurrent.FutureTask.run(FutureTask.java:266) >> at org.apache.cxf.interceptor.ServiceInvokerInterceptor$2.run( >> ServiceInvokerInterceptor.java:126) >> at org.apache.cxf.workqueue.SynchronousExecutor.execute(Synchro >> nousExecutor.java:37) >> at org.apache.cxf.interceptor.ServiceInvokerInterceptor.handleM >> essage(ServiceInvokerInterceptor.java:131) >> at org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(Phase >> InterceptorChain.java:307) >> at org.apache.cxf.transport.ChainInitiationObserver.onMessage(C >> hainInitiationObserver.java:121) >> at org.apache.cxf.transport.http.AbstractHTTPDestination.invoke >> (AbstractHTTPDestination.java:254) >> at org.apache.cxf.transport.servlet.ServletController.invokeDes >> tination(ServletController.java:234) >> at org.apache.cxf.transport.servlet.ServletController.invoke( >> ServletController.java:208) >> at org.apache.cxf.transport.servlet.ServletController.invoke( >> ServletController.java:160) >> at org.apache.cxf.transport.servlet.CXFNonSpringServlet.invoke( >> CXFNonSpringServlet.java:180) >> at org.apache.cxf.transport.servlet.AbstractHTTPServlet.handleR >> equest(AbstractHTTPServlet.java:298) >> at org.apache.cxf.transport.servlet.AbstractHTTPServlet.doPost( >> AbstractHTTPServlet.java:217) >> at javax.servlet.http.HttpServlet.service(HttpServlet.java:648) >> at org.apache.cxf.transport.servlet.AbstractHTTPServlet.service >> (AbstractHTTPServlet.java:273) >> at org.apache.catalina.core.ApplicationFilterChain.internalDoFi >> lter(ApplicationFilterChain.java:292) >> at org.apache.catalina.core.ApplicationFilterChain.doFilter(App >> licationFilterChain.java:207) >> at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilte >> r.java:52) >> at org.apache.catalina.core.ApplicationFilterChain.internalDoFi >> lter(ApplicationFilterChain.java:240) >> at org.apache.catalina.core.ApplicationFilterChain.doFilter(App >> licationFilterChain.java:207) >> at com.spotfire.server.security.SecurityFilter.doFilter(Securit >> yFilter.java:318) >> at com.spotfire.server.security.AbstractFilter.doFilter(Abstrac >> tFilter.java:125) >> at org.springframework.web.filter.DelegatingFilterProxy.invokeD >> elegate(DelegatingFilterProxy.java:346) >> at org.springframework.web.filter.DelegatingFilterProxy.doFilte >> r(DelegatingFilterProxy.java:262) >> at org.apache.catalina.core.ApplicationFilterChain.internalDoFi >> lter(ApplicationFilterChain.java:240) >> at org.apache.catalina.core.ApplicationFilterChain.doFilter(App >> licationFilterChain.java:207) >> at com.spotfire.server.security.CustomAuthFilterWrapper.doFilte >> r(CustomAuthFilterWrapper.java:82) >> at com.spotfire.server.security.AbstractFilter.doFilter(Abstrac >> tFilter.java:125) >> at org.springframework.web.filter.DelegatingFilterProxy.invokeD >> elegate(DelegatingFilterProxy.java:346) >> at org.springframework.web.filter.DelegatingFilterProxy.doFilte >> r(DelegatingFilterProxy.java:262) >> at org.apache.catalina.core.ApplicationFilterChain.internalDoFi >> lter(ApplicationFilterChain.java:240) >> at org.apache.catalina.core.ApplicationFilterChain.doFilter(App >> licationFilterChain.java:207) >> at com.spotfire.server.security.CsrfFilter.doFilter(CsrfFilter. >> java:79) >> at com.spotfire.server.security.AbstractFilter.doFilter(Abstrac >> tFilter.java:125) >> at org.springframework.web.filter.DelegatingFilterProxy.invokeD >> elegate(DelegatingFilterProxy.java:346) >> at org.springframework.web.filter.DelegatingFilterProxy.doFilte >> r(DelegatingFilterProxy.java:262) >> at org.apache.catalina.core.ApplicationFilterChain.internalDoFi >> lter(ApplicationFilterChain.java:240) >> at org.apache.catalina.core.ApplicationFilterChain.doFilter(App >> licationFilterChain.java:207) >> at com.spotfire.server.security.HttpMethodsFilter.doFilter(Http >> MethodsFilter.java:189) >> at com.spotfire.server.security.AbstractFilter.doFilter(Abstrac >> tFilter.java:125) >> at org.springframework.web.filter.DelegatingFilterProxy.invokeD >> elegate(DelegatingFilterProxy.java:346) >> at org.springframework.web.filter.DelegatingFilterProxy.doFilte >> r(DelegatingFilterProxy.java:262) >> at org.apache.catalina.core.ApplicationFilterChain.internalDoFi >> lter(ApplicationFilterChain.java:240) >> at org.apache.catalina.core.ApplicationFilterChain.doFilter(App >> licationFilterChain.java:207) >> at com.spotfire.server.security.headers.HeadersFilter.doFilter( >> HeadersFilter.java:192) >> at com.spotfire.server.security.AbstractFilter.doFilter(Abstrac >> tFilter.java:125) >> at org.springframework.web.filter.DelegatingFilterProxy.invokeD >> elegate(DelegatingFilterProxy.java:346) >> at org.springframework.web.filter.DelegatingFilterProxy.doFilte >> r(DelegatingFilterProxy.java:262) >> at org.apache.catalina.core.ApplicationFilterChain.internalDoFi >> lter(ApplicationFilterChain.java:240) >> at org.apache.catalina.core.ApplicationFilterChain.doFilter(App >> licationFilterChain.java:207) >> at com.spotfire.server.security.AccessLogFilter.doFilter(Access >> LogFilter.java:78) >> at com.spotfire.server.security.AbstractFilter.doFilter(Abstrac >> tFilter.java:125) >> at org.springframework.web.filter.DelegatingFilterProxy.invokeD >> elegate(DelegatingFilterProxy.java:346) >> at org.springframework.web.filter.DelegatingFilterProxy.doFilte >> r(DelegatingFilterProxy.java:262) >> at org.apache.catalina.core.ApplicationFilterChain.internalDoFi >> lter(ApplicationFilterChain.java:240) >> at org.apache.catalina.core.ApplicationFilterChain.doFilter(App >> licationFilterChain.java:207) >> at com.spotfire.server.security.RequestContextFilter.doFilter(R >> equestContextFilter.java:114) >> at com.spotfire.server.security.RequestContextFilter.doFilter(R >> equestContextFilter.java:80) >> at com.spotfire.server.security.AbstractFilter.doFilter(Abstrac >> tFilter.java:125) >> at org.springframework.web.filter.DelegatingFilterProxy.invokeD >> elegate(DelegatingFilterProxy.java:346) >> at org.springframework.web.filter.DelegatingFilterProxy.doFilte >> r(DelegatingFilterProxy.java:262) >> at org.apache.catalina.core.ApplicationFilterChain.internalDoFi >> lter(ApplicationFilterChain.java:240) >> at org.apache.catalina.core.ApplicationFilterChain.doFilter(App >> licationFilterChain.java:207) >> at org.apache.catalina.core.StandardWrapperValve.invoke(Standar >> dWrapperValve.java:212) >> at org.apache.catalina.core.StandardContextValve.invoke(Standar >> dContextValve.java:106) >> at org.apache.catalina.authenticator.AuthenticatorBase.invoke(A >> uthenticatorBase.java:502) >> at org.apache.catalina.core.StandardHostValve.invoke(StandardHo >> stValve.java:141) >> at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorRepo >> rtValve.java:79) >> at org.apache.catalina.core.StandardEngineValve.invoke(Standard >> EngineValve.java:88) >> at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAd >> apter.java:509) >> at org.apache.coyote.http11.AbstractHttp11Processor.process(Abs >> tractHttp11Processor.java:1104) >> at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler >> .process(AbstractProtocol.java:684) >> at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun >> (NioEndpoint.java:1520) >> at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.run( >> NioEndpoint.java:1476) >> at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPool >> Executor.java:1142) >> at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoo >> lExecutor.java:617) >> at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable. >> run(TaskThread.java:61) >> at java.lang.Thread.run(Thread.java:745) >> Caused by: com.spotfire.ws.im.IMException: Error retrieving metadata: >> org.apache.http.client.ClientProtocolException >> at com.spotfire.ws.im.ds.sql.JDBCDataSourceManager$MetaDataCach >> e.getMetadata(JDBCDataSourceManager.java:1852) >> at com.spotfire.ws.im.ds.sql.JDBCDataSourceManager.getMetadata( >> JDBCDataSourceManager.java:254) >> at com.spotfire.ws.api.element.ElementManagerService.listDataSo >> urceElements(ElementManagerService.java:393) >> ... 89 more >> Caused by: java.sql.SQLException: org.apache.http.client.ClientP >> rotocolException >> at org.apache.hive.jdbc.HiveDatabaseMetaData.getTables(HiveData >> baseMetaData.java:656) >> at com.spotfire.server.util.sql.WrappedDatabaseMetaData.getTabl >> es(WrappedDatabaseMetaData.java:410) >> at com.spotfire.ws.im.ds.sql.BasicJDBCMetadataProvider.getSchem >> as(BasicJDBCMetadataProvider.java:318) >> at com.spotfire.ws.im.ds.sql.BasicJDBCMetadataProvider.getMetad >> ata(BasicJDBCMetadataProvider.java:121) >> at com.spotfire.ws.im.ds.sql.JDBCDataSourceManager$MetaDataCach >> e.getMetadata(JDBCDataSourceManager.java:1842) >> ... 91 more >> Caused by: org.apache.thrift.transport.TTransportException: >> org.apache.http.client.ClientProtocolException >> at org.apache.thrift.transport.THttpClient.flushUsingHttpClient >> (THttpClient.java:297) >> at org.apache.thrift.transport.THttpClient.flush(THttpClient.ja >> va:313) >> at org.apache.thrift.TServiceClient.sendBase(TServiceClient. >> java:73) >> at org.apache.thrift.TServiceClient.sendBase(TServiceClient. >> java:62) >> at org.apache.hive.service.cli.thrift.TCLIService$Client.send_ >> GetTables(TCLIService.java:315) >> at org.apache.hive.service.cli.thrift.TCLIService$Client.GetTab >> les(TCLIService.java:307) >> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) >> at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAcce >> ssorImpl.java:62) >> at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMe >> thodAccessorImpl.java:43) >> at java.lang.reflect.Method.invoke(Method.java:498) >> at org.apache.hive.jdbc.HiveConnection$SynchronizedHandler. >> invoke(HiveConnection.java:1388) >> at com.sun.proxy.$Proxy146.GetTables(Unknown Source) >> at org.apache.hive.jdbc.HiveDatabaseMetaData.getTables(HiveData >> baseMetaData.java:654) >> ... 95 more >> Caused by: org.apache.http.client.ClientProtocolException >> at org.apache.http.impl.client.InternalHttpClient.doExecute(Int >> ernalHttpClient.java:186) >> at org.apache.http.impl.client.CloseableHttpClient.execute(Clos >> eableHttpClient.java:117) >> at org.apache.http.impl.client.CloseableHttpClient.execute(Clos >> eableHttpClient.java:55) >> at org.apache.thrift.transport.THttpClient.flushUsingHttpClient >> (THttpClient.java:251) >> ... 107 more >> Caused by: org.apache.http.HttpException: The Subject is not set >> at org.apache.hive.jdbc.HttpRequestInterceptorBase.process(Http >> RequestInterceptorBase.java:94) >> at org.apache.http.protocol.ImmutableHttpProcessor.process(Immu >> tableHttpProcessor.java:132) >> at org.apache.http.impl.execchain.ProtocolExec.execute( >> ProtocolExec.java:182) >> at org.apache.http.impl.execchain.RetryExec.execute(RetryExec. >> java:88) >> at org.apache.http.impl.execchain.RedirectExec.execute( >> RedirectExec.java:110) >> at org.apache.http.impl.execchain.ServiceUnavailableRetryExec.e >> xecute(ServiceUnavailableRetryExec.java:84) >> at org.apache.http.impl.client.InternalHttpClient.doExecute(Int >> ernalHttpClient.java:184) >> ... 110 more >> Caused by: org.apache.http.HttpException: The Subject is not set >> at org.apache.hive.jdbc.HttpKerberosRequestInterceptor. >> addHttpAuthHeader(HttpKerberosRequestInterceptor.java:73) >> at org.apache.hive.jdbc.HttpRequestInterceptorBase.process(Http >> RequestInterceptorBase.java:78) >> ... 116 more >> Caused by: java.lang.Exception: The Subject is not set >> at org.apache.hive.service.auth.HttpAuthUtils.getKerberosServic >> eTicket(HttpAuthUtils.java:118) >> at org.apache.hive.jdbc.HttpKerberosRequestInterceptor. >> addHttpAuthHeader(HttpKerberosRequestInterceptor.java:67) >> ... 117 more > > >
