[jira] [Commented] (AMBARI-19642) Error during Alert: Unable to authenticate through LDAP for Hiveserver2 (also floods HS2 log with error messages)

Thu, 19 Jan 2017 22:40:54 -0800 

    [ 
https://issues.apache.org/jira/browse/AMBARI-19642?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15831291#comment-15831291
 ] 

Sumit Mohanty commented on AMBARI-19642:
----------------------------------------

When LDAP is selected as the Hiveserver2 Authentication mechanism then the 
alert should switch to using username and password.

Introduce two new parameters for Hiveserver2 {{health_check_user}} and 
{{health_check_user_password}}. The default value for the user name should be 
the ambari service check user (namely ambari-qa). Default value for the 
password will be empty. Neither property should be required. If the 
authentication mechanism is selected as LDAP then stack advisor should warn 
(during validation) that valid username and password should be supplied that 
can authenticate using LDAP and this credential will be used by the Hive 
Alerts. Do not fail, if they are not supplied.

*Modification to the alert*

The alert currently uses the following command:
{code}
! beeline -u 
'jdbc:hive2://ctr-e101-1484344556054-0266-01-000003.hwx.site:10000/;transportMode=binary;principal=hive/_h...@example.com'
 -e '' 2>&1| awk '{print}'|grep -i -e 'Connection refused' -e 'Invalid URL'
{code}

When LDAP is enabled it (independent of whether kerberos is enabled or not) it 
should be modified to

{code}
! beeline -u 
'jdbc:hive2://ctr-e101-1484344556054-0266-01-000003.hwx.site:10000/;transportMode=binary'
 -n hrt_qa -p pwd -e '' 2>&1| awk '{print}'|grep -i -e 'Connection refused' -e 
'Invalid URL'
{code}

> Error during Alert: Unable to authenticate through LDAP for Hiveserver2 (also 
> floods HS2 log with error messages)
> -----------------------------------------------------------------------------------------------------------------
>
>                 Key: AMBARI-19642
>                 URL: https://issues.apache.org/jira/browse/AMBARI-19642
>             Project: Ambari
>          Issue Type: Bug
>          Components: stacks
>    Affects Versions: 2.5.0
>            Reporter: Sumit Mohanty
>            Assignee: Sumit Mohanty
>            Priority: Critical
>             Fix For: 2.5.0
>
>
> Ambari Alert can't authenticate through LDAP for HiveServer2 using the 
> ambari-qa user because there's no where set the ambari-qa password.
> {code}
> javax.security.sasl.SaslException: Error validating the login [Caused by 
> javax.security.sasl.AuthenticationException: Error validating LDAP user 
> [Caused by javax.naming.Authentic 
> ationException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C0903C8, 
> comment: AcceptSecurityContext error, data 52e, v2580 
> at 
> org.apache.hive.service.auth.PlainSaslServer.evaluateResponse(PlainSaslServer.java:109)
>  
> at 
> org.apache.thrift.transport.TSaslTransport$SaslParticipant.evaluateChallengeOrResponse(TSaslTransport.java:509)
>  
> at org.apache.thrift.transport.TSaslTransport.open(TSaslTransport.java:264) 
> at 
> org.apache.thrift.transport.TSaslServerTransport.open(TSaslServerTransport.java:41)
>  
> at 
> org.apache.thrift.transport.TSaslServerTransport$Factory.getTransport(TSaslServerTransport.java:216)
>  
> at 
> org.apache.thrift.server.TThreadPoolServer$WorkerProcess.run(TThreadPoolServer.java:189)
>  
> at 
> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
>  
> at 
> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
>  
> at java.lang.Thread.run(Thread.java:744) 
> Caused by: javax.security.sasl.AuthenticationException: Error validating LDAP 
> user [Caused by javax.naming.AuthenticationException: [LDAP: error code 49 - 
> 80090308: LdapErr: DSID 
> -0C0903C8, comment: AcceptSecurityContext error, data 52e, v2580 
> at 
> org.apache.hive.service.auth.LdapAuthenticationProviderImpl.Authenticate(LdapAuthenticationProviderImpl.java:70)
>  
> at 
> org.apache.hive.service.auth.PlainSaslHelper$PlainServerCallbackHandler.handle(PlainSaslHelper.java:106)
>  
> at 
> org.apache.hive.service.auth.PlainSaslServer.evaluateResponse(PlainSaslServer.java:102)
>  
> ... 8 more 
> Caused by: javax.naming.AuthenticationException: [LDAP: error code 49 - 
> 80090308: LdapErr: DSID-0C0903C8, comment: AcceptSecurityContext error, data 
> 52e, v2580 
> at com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:3087) 
> at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:3033) 
> at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2835) 
> at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2749) 
> at com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:316) 
> at com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:193) 
> at com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(LdapCtxFactory.java:211) 
> at 
> com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(LdapCtxFactory.java:154) 
> at com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactory.java:84) 
> at javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:684) 
> at javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:307) 
> at javax.naming.InitialContext.init(InitialContext.java:242) 
> at javax.naming.InitialContext.<init>(InitialContext.java:216) 
> at 
> javax.naming.directory.InitialDirContext.<init>(InitialDirContext.java:101) 
> at 
> org.apache.hive.service.auth.LdapAuthenticationProviderImpl.Authenticate(LdapAuthenticationProviderImpl.java:67)
>  
> ... 10 more 
> 2014-12-29 00:00:12,532 ERROR server.TThreadPoolServer 
> (TThreadPoolServer.java:run(215)) - Error occurred during processing of 
> message. 
> java.lang.RuntimeException: org.apache.thrift.transport.TTransportException: 
> Error validating the login 
> at 
> org.apache.thrift.transport.TSaslServerTransport$Factory.getTransport(TSaslServerTransport.java:219)
>  
> at 
> org.apache.thrift.server.TThreadPoolServer$WorkerProcess.run(TThreadPoolServer.java:189)
>  
> at 
> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
>  
> at 
> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
>  
> at java.lang.Thread.run(Thread.java:744) 
> Caused by: org.apache.thrift.transport.TTransportException: Error validating 
> the login 
> at 
> org.apache.thrift.transport.TSaslTransport.sendAndThrowMessage(TSaslTransport.java:221)
>  
> at org.apache.thrift.transport.TSaslTransport.open(TSaslTransport.java:297) 
> at 
> org.apache.thrift.transport.TSaslServerTransport.open(TSaslServerTransport.java:41)
>  
> at 
> org.apache.thrift.transport.TSaslServerTransport$Factory.getTransport(TSaslServerTransport.java:216)
>  
> ... 4 more
> {code}
> **LDAP doesn't except blank passwords**
> It is expected that ambari-qa user able to authenticate through LDAP for 
> HiveServer2
> ANALYSIS:
> 1) We found when hive.server2.authentication=LDAP, the HiveServer2 log will 
> show the LDAP error once Alert is turned on. 
> 2) Alert uses check_tcp_wrapper_sasl!10000!LDAP!! 
> 3) When hive.server2.authentication=NONE, we don't get the Alert LDAP error 
> for HiveServer2. 
> or 
> 1) If we run "beeline" and !connect jdbc:hive2://<hiveserver2_server>:10000 
> -n ambari-qa", we will get the LDAP error too.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to