[jira] [Commented] (ATLAS-381) HiveMetaStoreBridge will not connect to a kerberized hive metastore

Thu, 17 Dec 2015 08:46:39 -0800 

    [ 
https://issues.apache.org/jira/browse/ATLAS-381?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15062310#comment-15062310
 ] 

Tom Beerbower commented on ATLAS-381:
-------------------------------------

[~dossett],

I think the simple JAAS authentication is fine but you shouldn't have to modify 
HiveMetaStoreBridge if you are running import-hive.sh.  Something like this 
should work ...

{code}
/usr/hdp/current/atlas-server/bin/import-hive.sh -Dsun.security.jgss.debug=true 
-Djavax.security.auth.useSubjectCredsOnly=false 
-Djava.security.krb5.conf=/etc/krb5.conf 
-Djava.security.auth.login.config=/jaas.conf
{code}

Also, I don't know if you encountered this but I had to add the 
{{atlas.rest.address}} property to the client.properties in /etc/hive/conf/...  

{code}
atlas.rest.address=http://c6401.ambari.apache.org:21000/
{code}

Otherwise the HiveMetaStoreBridge defaults to {{http://localhost:21000/}} and I 
end up with ...

{code}
Exception in thread "main" com.sun.jersey.api.client.ClientHandlerException: 
java.io.IOException: 
org.apache.hadoop.security.authentication.client.AuthenticationException: 
GSSException: No valid credentials provided (Mechanism level: Server not found 
in Kerberos database (7) - UNKNOWN_SERVER)
        at 
com.sun.jersey.client.urlconnection.URLConnectionClientHandler.handle(URLConnectionClientHandler.java:155)
        at com.sun.jersey.api.client.Client.handle(Client.java:652)
        at com.sun.jersey.api.client.WebResource.handle(WebResource.java:682)
        at com.sun.jersey.api.client.WebResource.access$200(WebResource.java:74)
        at 
com.sun.jersey.api.client.WebResource$Builder.method(WebResource.java:634)
        at 
org.apache.atlas.AtlasClient.callAPIWithResource(AtlasClient.java:584)
        at 
org.apache.atlas.AtlasClient.callAPIWithResource(AtlasClient.java:579)
        at org.apache.atlas.AtlasClient.getType(AtlasClient.java:257)
        at 
org.apache.atlas.hive.bridge.HiveMetaStoreBridge.registerHiveDataModel(HiveMetaStoreBridge.java:488)
        at 
org.apache.atlas.hive.bridge.HiveMetaStoreBridge.main(HiveMetaStoreBridge.java:504)
{code}

Could you try again passing the security configs on the command line when you 
run hive-import.sh?  Thanks.



> HiveMetaStoreBridge will not connect to a kerberized hive metastore
> -------------------------------------------------------------------
>
>                 Key: ATLAS-381
>                 URL: https://issues.apache.org/jira/browse/ATLAS-381
>             Project: Atlas
>          Issue Type: Bug
>    Affects Versions: 0.6-incubating
>            Reporter: Aaron Dossett
>            Assignee: Aaron Dossett
>
> Running the HiveMetaStoreBridge on a kerberized cluster gives the error 
> below, because it does not do any authentication for kerberos.
> 2015-12-09 13:07:37,880 ERROR - [main:] ~ SASL negotiation failure 
> (TSaslTransport:315)
> javax.security.sasl.SaslException: GSS initiate failed [Caused by 
> GSSException: No valid credentials provided (Mechanism level: Failed to find 
> any Kerberos tgt)]
>         at 
> com.sun.security.sasl.gsskerb.GssKrb5Client.evaluateChallenge(GssKrb5Client.java:212)
>         at 
> org.apache.thrift.transport.TSaslClientTransport.handleSaslStartMessage(TSaslClientTransport.java:94)
>         at 
> org.apache.thrift.transport.TSaslTransport.open(TSaslTransport.java:271)
>         at 
> org.apache.thrift.transport.TSaslClientTransport.open(TSaslClientTransport.java:37)
>         at 
> org.apache.hadoop.hive.thrift.client.TUGIAssumingTransport$1.run(TUGIAssumingTransport.java:52)
>         at 
> org.apache.hadoop.hive.thrift.client.TUGIAssumingTransport$1.run(TUGIAssumingTransport.java:49)
>         at java.security.AccessController.doPrivileged(Native Method)
>         at javax.security.auth.Subject.doAs(Subject.java:415)
>         at 
> org.apache.hadoop.security.UserGroupInformation.doAs(UserGroupInformation.java:1657)
>         at 
> org.apache.hadoop.hive.thrift.client.TUGIAssumingTransport.open(TUGIAssumingTransport.java:49)
>         at 
> org.apache.hadoop.hive.metastore.HiveMetaStoreClient.open(HiveMetaStoreClient.java:420)
>         at 
> org.apache.hadoop.hive.metastore.HiveMetaStoreClient.<init>(HiveMetaStoreClient.java:236)
>         at 
> org.apache.hadoop.hive.ql.metadata.SessionHiveMetaStoreClient.<init>(SessionHiveMetaStoreClient.java:74)
>         at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native 
> Method)
>         at 
> sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:57)
>         at 
> sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
>         at java.lang.reflect.Constructor.newInstance(Constructor.java:526)
>         at 
> org.apache.hadoop.hive.metastore.MetaStoreUtils.newInstance(MetaStoreUtils.java:1521)
>         at 
> org.apache.hadoop.hive.metastore.RetryingMetaStoreClient.<init>(RetryingMetaStoreClient.java:86)
>         at 
> org.apache.hadoop.hive.metastore.RetryingMetaStoreClient.getProxy(RetryingMetaStoreClient.java:132)
>         at 
> org.apache.hadoop.hive.metastore.RetryingMetaStoreClient.getProxy(RetryingMetaStoreClient.java:104)
>         at 
> org.apache.hadoop.hive.ql.metadata.Hive.createMetaStoreClient(Hive.java:3005)
>         at org.apache.hadoop.hive.ql.metadata.Hive.getMSC(Hive.java:3024)
>         at 
> org.apache.hadoop.hive.ql.metadata.Hive.getAllDatabases(Hive.java:1234)
>         at 
> org.apache.hadoop.hive.ql.metadata.Hive.reloadFunctions(Hive.java:174)
>         at org.apache.hadoop.hive.ql.metadata.Hive.<clinit>(Hive.java:166)
>         at 
> org.apache.atlas.hive.bridge.HiveMetaStoreBridge.<init>(HiveMetaStoreBridge.java:80)
>         at 
> org.apache.atlas.hive.bridge.HiveMetaStoreBridge.<init>(HiveMetaStoreBridge.java:70)
>         at 
> org.apache.atlas.hive.bridge.HiveMetaStoreBridge.main(HiveMetaStoreBridge.java:494)
> Caused by: GSSException: No valid credentials provided (Mechanism level: 
> Failed to find any Kerberos tgt)
>         at 
> sun.security.jgss.krb5.Krb5InitCredential.getInstance(Krb5InitCredential.java:147)
>         at 
> sun.security.jgss.krb5.Krb5MechFactory.getCredentialElement(Krb5MechFactory.java:121)
>         at 
> sun.security.jgss.krb5.Krb5MechFactory.getMechanismContext(Krb5MechFactory.java:187)
>         at 
> sun.security.jgss.GSSManagerImpl.getMechanismContext(GSSManagerImpl.java:223)
>         at 
> sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:212)
>         at 
> sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:179)
>         at 
> com.sun.security.sasl.gsskerb.GssKrb5Client.evaluateChallenge(GssKrb5Client.java:193)
>         ... 28 more



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to