[jira] [Updated] (HIVE-29615) Hive Metastore fails to connect to NameNode due to SASL hadoop.rpc.protection mismatch (Client: authentication vs Server: privacy)

Fri, 15 May 2026 12:00:20 -0700 


     [ 
https://issues.apache.org/jira/browse/HIVE-29615?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

ASF GitHub Bot updated HIVE-29615:
----------------------------------
    Labels: pull-request-available  (was: )

> Hive Metastore fails to connect to NameNode due to SASL hadoop.rpc.protection 
> mismatch (Client: authentication vs Server: privacy)
> ----------------------------------------------------------------------------------------------------------------------------------
>
>                 Key: HIVE-29615
>                 URL: https://issues.apache.org/jira/browse/HIVE-29615
>             Project: Hive
>          Issue Type: Bug
>          Components: Metastore, Security, Standalone Metastore
>            Reporter: Venugopal Reddy K
>            Assignee: Venugopal Reddy K
>            Priority: Major
>              Labels: pull-request-available
>
> *[Description]*
> The Hive Metastore cannot establish an RPC connection to the HDFS NameNode. 
> The connection is dropped during the Kerberos SASL handshake because of 
> conflicting Quality of Protection (QOP) configurations between the client and 
> the server.
> *HDFS NameNode (Server):* Configured with {{hadoop.rpc.protection = privacy}} 
> (requires encrypted traffic).
> *Hive Metastore (Client):* When {{hadoop.rpc.protection configuration is  
> detected, it overrides it with authentication}} (only validates identity).
> As a result, SASL layer throws {{SaslException: No common protection layer 
> between client and server}} because the client refuses to encrypt traffic, 
> while the server mandates it.
> {code:java}
> 2026-05-14 10:35:54,420 ERROR 
> org.apache.hadoop.hive.metastore.utils.MetaStoreUtils: [TThreadPoolServer 
> WorkerProcess-13]: Got exception: javax.security.sasl.SaslException 
> DestHost:destPort mycluster:8020 , LocalHost:localPort 
> mycluster/10.140.114.1:0. Failed on local exception: 
> javax.security.sasl.SaslException: No common protection layer between client 
> and server
> javax.security.sasl.SaslException: DestHost:destPort mycluster:8020 , 
> LocalHost:localPort mycluster/10.140.114.1:0. Failed on local exception: 
> javax.security.sasl.SaslException: No common protection layer between client 
> and server
>    at org.apache.hadoop.ipc.Client.getRpcResponse(Client.java:1584)
>    at org.apache.hadoop.ipc.Client.call(Client.java:1529) 
>    at org.apache.hadoop.ipc.Client.call(Client.java:1426)
>    at 
> org.apache.hadoop.ipc.ProtobufRpcEngine2$Invoker.invoke(ProtobufRpcEngine2.java:258)
>    at 
> org.apache.hadoop.ipc.ProtobufRpcEngine2$Invoker.invoke(ProtobufRpcEngine2.java:139)
>    at jdk.proxy2.$Proxy34.getFileInfo(Unknown Source)
>    at 
> org.apache.hadoop.hdfs.protocolPB.ClientNamenodeProtocolTranslatorPB.lambda$getFileInfo$41(ClientNamenodeProtocolTranslatorPB.java:820)
>    at 
> org.apache.hadoop.ipc.internal.ShadedProtobufHelper.ipc(ShadedProtobufHelper.java:160)
>    at 
> org.apache.hadoop.hdfs.protocolPB.ClientNamenodeProtocolTranslatorPB.getFileInfo(ClientNamenodeProtocolTranslatorPB.java:820)
>    at jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
>    at 
> jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:77)
>    at 
> jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
>    at java.lang.reflect.Method.invoke(Method.java:568)
>    at 
> org.apache.hadoop.io.retry.RetryInvocationHandler.invokeMethod(RetryInvocationHandler.java:437)
>    at 
> org.apache.hadoop.io.retry.RetryInvocationHandler$Call.invokeMethod(RetryInvocationHandler.java:170)
>    at 
> org.apache.hadoop.io.retry.RetryInvocationHandler$Call.invoke(RetryInvocationHandler.java:162)
>    at 
> org.apache.hadoop.io.retry.RetryInvocationHandler$Call.invokeOnce(RetryInvocationHandler.java:100)
>    at 
> org.apache.hadoop.io.retry.RetryInvocationHandler.invoke(RetryInvocationHandler.java:366)
>    at jdk.proxy2.$Proxy35.getFileInfo(Unknown Source)
>    at org.apache.hadoop.hdfs.DFSClient.getFileInfo(DFSClient.java:1776)
>    at 
> org.apache.hadoop.hdfs.DistributedFileSystem$29.doCall(DistributedFileSystem.java:1838)
>    at 
> org.apache.hadoop.hdfs.DistributedFileSystem$29.doCall(DistributedFileSystem.java:1835)
>    at 
> org.apache.hadoop.fs.FileSystemLinkResolver.resolve(FileSystemLinkResolver.java:81)
>  
>    at 
> org.apache.hadoop.hdfs.DistributedFileSystem.getFileStatus(DistributedFileSystem.java:1850)
>    at org.apache.hadoop.hive.metastore.Warehouse.isDir(Warehouse.java:861) 
> {code}
>  
> {code:java}
> javax.security.sasl.SaslException: No common protection layer between client 
> and server
>    at 
> com.sun.security.sasl.gsskerb.GssKrb5Client.doFinalHandshake(GssKrb5Client.java:270)
>  ~[jdk.security.jgss:?]
>    at 
> com.sun.security.sasl.gsskerb.GssKrb5Client.evaluateChallenge(GssKrb5Client.java:203)
>  ~[jdk.security.jgss:?]
>    at 
> org.apache.hadoop.security.SaslRpcClient.saslEvaluateToken(SaslRpcClient.java:489)
>    at 
> org.apache.hadoop.security.SaslRpcClient.saslConnect(SaslRpcClient.java:431){code}
>  



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to