Hi Pat, I’m personally not that familiar with Hive, but for those that are, they will probably need to know what version of NiFi you are using since some bugs have been fixed along the way.
Thanks, Bryan On Wed, Dec 19, 2018 at 4:59 PM Pat White <[email protected]> wrote: > Hi Folks, > > Using kerberos auth in Nifi clusters communicating with hdfs and for hive > access, the ticket life is 24 hours. Hdfs works fine, however we're seeing > issues with hive where the tgt doesn't seem to renew, or fetch a new > ticket, as the 24hr limit approaches. Hence, hive access works fine until > the 24hrs expires and then fails to authenticate. For example, a > SelectHiveQL processor using the Hive Database Connection Pooling Service > will work for 24 hours after a cluster restart but then fail with: > > org.ietf.jgss.GSSException: No valid credentials provided > (Mechanism level: Failed to find any Kerberos tgt) > > Enabled krb debugging, which shows the ticket is found but no renew, or > new fetch attempt, seems to have been made. Krb docs discuss > setting javax.security.auth.useSubjectCredsOnly=false in order to allow the > underlying mechanism to obtain credentials, however the bootstrap.conf > explicitly sets this to 'true', to inhibit JAAS from using any fallback > methods to authenticate. > > Trying an experiment with useSubjectCredsOnly=false but would appreciate > if anyone has some guidance on this, how to get hive's connection pools to > renew tgt or fetch a new ticket ? Thank you. > > patw > > > > -- Sent from Gmail Mobile
