[jira] [Created] (HIVE-29615) Hive Metastore fails to connect to NameNode due to SASL hadoop.rpc.protection mismatch (Client: authentication vs Server: privacy)

Venugopal Reddy K (Jira) Thu, 14 May 2026 06:08:07 -0700

Venugopal Reddy K created HIVE-29615:
----------------------------------------


             Summary: Hive Metastore fails to connect to NameNode due to SASL 
hadoop.rpc.protection mismatch (Client: authentication vs Server: privacy)
                 Key: HIVE-29615
                 URL: https://issues.apache.org/jira/browse/HIVE-29615
             Project: Hive
          Issue Type: Bug
          Components: Metastore, Security, Standalone Metastore
            Reporter: Venugopal Reddy K


*[Description]*

The Hive Metastore cannot establish an RPC connection to the HDFS NameNode. The 
connection is dropped during the Kerberos SASL handshake because of conflicting 
Quality of Protection (QOP) configurations between the client and the server.

*HDFS NameNode (Server):* Configured with {{hadoop.rpc.protection = privacy}} 
(requires encrypted traffic).

*Hive Metastore (Client):* When {{hadoop.rpc.protection configuration is  
detected, it overrides it with authentication}} (only validates identity).

As a result, SASL layer throws {{SaslException: No common protection layer 
between client and server}} because the client refuses to encrypt traffic, 
while the server mandates it.

 

 
{code:java}
2026-05-14 10:35:54,420 ERROR 
org.apache.hadoop.hive.metastore.utils.MetaStoreUtils: [TThreadPoolServer 
WorkerProcess-13]: Got exception: javax.security.sasl.SaslException 
DestHost:destPort mycluster:8020 , LocalHost:localPort 
mycluster/10.140.114.1:0. Failed on local exception: 
javax.security.sasl.SaslException: No common protection layer between client 
and server
javax.security.sasl.SaslException: DestHost:destPort mycluster:8020 , 
LocalHost:localPort mycluster/10.140.114.1:0. Failed on local exception: 
javax.security.sasl.SaslException: No common protection layer between client 
and server
   at org.apache.hadoop.ipc.Client.getRpcResponse(Client.java:1584)
   at org.apache.hadoop.ipc.Client.call(Client.java:1529) 
   at org.apache.hadoop.ipc.Client.call(Client.java:1426)
   at 
org.apache.hadoop.ipc.ProtobufRpcEngine2$Invoker.invoke(ProtobufRpcEngine2.java:258)
   at 
org.apache.hadoop.ipc.ProtobufRpcEngine2$Invoker.invoke(ProtobufRpcEngine2.java:139)
   at jdk.proxy2.$Proxy34.getFileInfo(Unknown Source)
   at 
org.apache.hadoop.hdfs.protocolPB.ClientNamenodeProtocolTranslatorPB.lambda$getFileInfo$41(ClientNamenodeProtocolTranslatorPB.java:820)
   at 
org.apache.hadoop.ipc.internal.ShadedProtobufHelper.ipc(ShadedProtobufHelper.java:160)
   at 
org.apache.hadoop.hdfs.protocolPB.ClientNamenodeProtocolTranslatorPB.getFileInfo(ClientNamenodeProtocolTranslatorPB.java:820)
   at jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
   at 
jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:77)
   at 
jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
   at java.lang.reflect.Method.invoke(Method.java:568)
   at 
org.apache.hadoop.io.retry.RetryInvocationHandler.invokeMethod(RetryInvocationHandler.java:437)
   at 
org.apache.hadoop.io.retry.RetryInvocationHandler$Call.invokeMethod(RetryInvocationHandler.java:170)
   at 
org.apache.hadoop.io.retry.RetryInvocationHandler$Call.invoke(RetryInvocationHandler.java:162)
   at 
org.apache.hadoop.io.retry.RetryInvocationHandler$Call.invokeOnce(RetryInvocationHandler.java:100)
   at 
org.apache.hadoop.io.retry.RetryInvocationHandler.invoke(RetryInvocationHandler.java:366)
   at jdk.proxy2.$Proxy35.getFileInfo(Unknown Source)
   at org.apache.hadoop.hdfs.DFSClient.getFileInfo(DFSClient.java:1776)
   at 
org.apache.hadoop.hdfs.DistributedFileSystem$29.doCall(DistributedFileSystem.java:1838)
   at 
org.apache.hadoop.hdfs.DistributedFileSystem$29.doCall(DistributedFileSystem.java:1835)
   at 
org.apache.hadoop.fs.FileSystemLinkResolver.resolve(FileSystemLinkResolver.java:81)
 
   at 
org.apache.hadoop.hdfs.DistributedFileSystem.getFileStatus(DistributedFileSystem.java:1850)
   at org.apache.hadoop.hive.metastore.Warehouse.isDir(Warehouse.java:861) 
{code}
 

 

 
{code:java}
javax.security.sasl.SaslException: No common protection layer between client 
and server
   at 
com.sun.security.sasl.gsskerb.GssKrb5Client.doFinalHandshake(GssKrb5Client.java:270)
 ~[jdk.security.jgss:?]
   at 
com.sun.security.sasl.gsskerb.GssKrb5Client.evaluateChallenge(GssKrb5Client.java:203)
 ~[jdk.security.jgss:?]
   at 
org.apache.hadoop.security.SaslRpcClient.saslEvaluateToken(SaslRpcClient.java:489)
   at 
org.apache.hadoop.security.SaslRpcClient.saslConnect(SaslRpcClient.java:431){code}
 



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

[jira] [Created] (HIVE-29615) Hive Metastore fails to connect to NameNode due to SASL hadoop.rpc.protection mismatch (Client: authentication vs Server: privacy)

Reply via email to