Vihang Karajgaonkar created HIVE-14372: ------------------------------------------
Summary: Odd behavior with Beeline parsing server principal in Kerberized environment Key: HIVE-14372 URL: https://issues.apache.org/jira/browse/HIVE-14372 Project: Hive Issue Type: Bug Components: Beeline Reporter: Vihang Karajgaonkar Case 1: I can replace the realm with any garbage realm, and it still works. {code} [root@c62-n3 ~]# beeline Beeline version 0.10.0-cdh4.2.0 by Apache Hive beeline> !connect jdbc:hive2://c62-n3.intuit.test:10000/;principal=hive/c62-n3.intuit.t...@abc.xyz scan complete in 4ms Connecting to jdbc:hive2://c62-n3.intuit.test:10000/;principal=hive/c62-n3.intuit.t...@abc.xyz Enter username for jdbc:hive2://c62-n3.intuit.test:10000/;principal=hive/c62-n3.intuit.t...@abc.xyz: Enter password for jdbc:hive2://c62-n3.intuit.test:10000/;principal=hive/c62-n3.intuit.t...@abc.xyz: Connected to: Hive (version 0.10.0) Driver: Hive (version 0.10.0-cdh4.2.0) Transaction isolation: TRANSACTION_REPEATABLE_READ 0: jdbc:hive2://c62-n3.intuit.test:10000/> show tables; ----------- tab_name ----------- t1 t2 test ----------- 3 rows selected (1.749 seconds) 0: jdbc:hive2://c62-n3.intuit.test:10000/> {code} Case 2: I can keep the garbage realm, but if I use a different hostname (notice I've truncated it to c62-n3.intuit instead of c62-n3.intuit.test), it fails (as it should) but the error message is not at all user-friendly. {code} [root@c62-n3 ~]# beeline Beeline version 0.10.0-cdh4.2.0 by Apache Hive beeline> !connect jdbc:hive2://c62-n3.intuit.test:10000/;principal=hive/c62-n3.intuit@ABC scan complete in 4ms Connecting to jdbc:hive2://c62-n3.intuit.test:10000/;principal=hive/c62-n3.intuit@ABC Enter username for jdbc:hive2://c62-n3.intuit.test:10000/;principal=hive/c62-n3.intuit@ABC: Enter password for jdbc:hive2://c62-n3.intuit.test:10000/;principal=hive/c62-n3.intuit@ABC: 13/06/10 08:34:29 ERROR transport.TSaslTransport: SASL negotiation failure javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level: Server not found in Kerberos database (7) - UNKNOWN_SERVER)] at com.sun.security.sasl.gsskerb.GssKrb5Client.evaluateChallenge(GssKrb5Client.java:194) at org.apache.thrift.transport.TSaslClientTransport.handleSaslStartMessage(TSaslClientTransport.java:94) at org.apache.thrift.transport.TSaslTransport.open(TSaslTransport.java:253) at org.apache.thrift.transport.TSaslClientTransport.open(TSaslClientTransport.java:37) at org.apache.hadoop.hive.thrift.client.TUGIAssumingTransport$1.run(TUGIAssumingTransport.java:52) at org.apache.hadoop.hive.thrift.client.TUGIAssumingTransport$1.run(TUGIAssumingTransport.java:49) at java.security.AccessController.doPrivileged(Native Method) at javax.security.auth.Subject.doAs(Subject.java:396) at org.apache.hadoop.security.UserGroupInformation.doAs(UserGroupInformation.java:1408) at org.apache.hadoop.hive.thrift.client.TUGIAssumingTransport.open(TUGIAssumingTransport.java:49) at org.apache.hive.jdbc.HiveConnection.openTransport(HiveConnection.java:156) at org.apache.hive.jdbc.HiveConnection.<init>(HiveConnection.java:96) at org.apache.hive.jdbc.HiveDriver.connect(HiveDriver.java:104) at java.sql.DriverManager.getConnection(DriverManager.java:582) at java.sql.DriverManager.getConnection(DriverManager.java:185) at org.apache.hive.beeline.DatabaseConnection.connect(DatabaseConnection.java:152) at org.apache.hive.beeline.DatabaseConnection.getConnection(DatabaseConnection.java:193) at org.apache.hive.beeline.Commands.connect(Commands.java:965) at org.apache.hive.beeline.Commands.connect(Commands.java:896) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25) at java.lang.reflect.Method.invoke(Method.java:597) at org.apache.hive.beeline.ReflectiveCommandHandler.execute(ReflectiveCommandHandler.java:66) at org.apache.hive.beeline.BeeLine.dispatch(BeeLine.java:755) at org.apache.hive.beeline.BeeLine.begin(BeeLine.java:631) at org.apache.hive.beeline.BeeLine.mainWithInputRedirection(BeeLine.java:380) at org.apache.hive.beeline.BeeLine.main(BeeLine.java:364) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25) at java.lang.reflect.Method.invoke(Method.java:597) at org.apache.hadoop.util.RunJar.main(RunJar.java:208) Caused by: GSSException: No valid credentials provided (Mechanism level: Server not found in Kerberos database (7) - UNKNOWN_SERVER) at sun.security.jgss.krb5.Krb5Context.initSecContext(Krb5Context.java:663) at sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:230) at sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:162) at com.sun.security.sasl.gsskerb.GssKrb5Client.evaluateChallenge(GssKrb5Client.java:175) ... 32 more Caused by: KrbException: Server not found in Kerberos database (7) - UNKNOWN_SERVER at sun.security.krb5.KrbTgsRep.<init>(KrbTgsRep.java:64) at sun.security.krb5.KrbTgsReq.getReply(KrbTgsReq.java:185) at sun.security.krb5.internal.CredentialsUtil.serviceCreds(CredentialsUtil.java:294) at sun.security.krb5.internal.CredentialsUtil.acquireServiceCreds(CredentialsUtil.java:106) at sun.security.krb5.Credentials.acquireServiceCreds(Credentials.java:557) at sun.security.jgss.krb5.Krb5Context.initSecContext(Krb5Context.java:594) ... 35 more Caused by: KrbException: Identifier doesn't match expected value (906) at sun.security.krb5.internal.KDCRep.init(KDCRep.java:133) at sun.security.krb5.internal.TGSRep.init(TGSRep.java:58) at sun.security.krb5.internal.TGSRep.<init>(TGSRep.java:53) at sun.security.krb5.KrbTgsRep.<init>(KrbTgsRep.java:46) ... 40 more org.apache.thrift.transport.TTransportException: GSS initiate failed at org.apache.thrift.transport.TSaslTransport.sendAndThrowMessage(TSaslTransport.java:221) at org.apache.thrift.transport.TSaslTransport.open(TSaslTransport.java:297) at org.apache.thrift.transport.TSaslClientTransport.open(TSaslClientTransport.java:37) at org.apache.hadoop.hive.thrift.client.TUGIAssumingTransport$1.run(TUGIAssumingTransport.java:52) at org.apache.hadoop.hive.thrift.client.TUGIAssumingTransport$1.run(TUGIAssumingTransport.java:49) at java.security.AccessController.doPrivileged(Native Method) at javax.security.auth.Subject.doAs(Subject.java:396) at org.apache.hadoop.security.UserGroupInformation.doAs(UserGroupInformation.java:1408) at org.apache.hadoop.hive.thrift.client.TUGIAssumingTransport.open(TUGIAssumingTransport.java:49) at org.apache.hive.jdbc.HiveConnection.openTransport(HiveConnection.java:156) at org.apache.hive.jdbc.HiveConnection.<init>(HiveConnection.java:96) at org.apache.hive.jdbc.HiveDriver.connect(HiveDriver.java:104) at java.sql.DriverManager.getConnection(DriverManager.java:582) at java.sql.DriverManager.getConnection(DriverManager.java:185) at org.apache.hive.beeline.DatabaseConnection.connect(DatabaseConnection.java:152) at org.apache.hive.beeline.DatabaseConnection.getConnection(DatabaseConnection.java:193) at org.apache.hive.beeline.Commands.connect(Commands.java:965) at org.apache.hive.beeline.Commands.connect(Commands.java:896) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25) at java.lang.reflect.Method.invoke(Method.java:597) at org.apache.hive.beeline.ReflectiveCommandHandler.execute(ReflectiveCommandHandler.java:66) at org.apache.hive.beeline.BeeLine.dispatch(BeeLine.java:755) at org.apache.hive.beeline.BeeLine.begin(BeeLine.java:631) at org.apache.hive.beeline.BeeLine.mainWithInputRedirection(BeeLine.java:380) at org.apache.hive.beeline.BeeLine.main(BeeLine.java:364) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25) at java.lang.reflect.Method.invoke(Method.java:597) at org.apache.hadoop.util.RunJar.main(RunJar.java:208) Error: Invalid URL: jdbc:hive2://c62-n3.intuit.test:10000/;principal=hive/c62-n3.intuit@ABC (state=08S01,code=0) {code} Case 3: If I truncate the hostname portion of the principal to the shortname (hive/c62-n3), it works. This should fail, since the principal 'hive/c62-n3' does not exist. {code} [root@c62-n3 ~]# beeline Beeline version 0.10.0-cdh4.2.0 by Apache Hive beeline> !connect jdbc:hive2://c62-n3.intuit.test:10000/;principal=hive/c62-n3@ABC scan complete in 3ms Connecting to jdbc:hive2://c62-n3.intuit.test:10000/;principal=hive/c62-n3@ABC Enter username for jdbc:hive2://c62-n3.intuit.test:10000/;principal=hive/c62-n3@ABC: Enter password for jdbc:hive2://c62-n3.intuit.test:10000/;principal=hive/c62-n3@ABC: Connected to: Hive (version 0.10.0) Driver: Hive (version 0.10.0-cdh4.2.0) Transaction isolation: TRANSACTION_REPEATABLE_READ 0: jdbc:hive2://c62-n3.intuit.test:10000/> show tables; ----------- tab_name ----------- t1 t2 test ----------- 3 rows selected (1.553 seconds) 0: jdbc:hive2://c62-n3.intuit.test:10000/> {code} -- This message was sent by Atlassian JIRA (v6.3.4#6332)