[ https://issues.apache.org/jira/browse/LIVY-692?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16945162#comment-16945162 ]
Wing Yew Poon commented on LIVY-692: ------------------------------------ With my change, I am able to connect to the Thrift server from beeline (both with the same configuration and JDBC URL as described above) and run queries. > Thrift server Kerberos authentication does not use configured principal > ----------------------------------------------------------------------- > > Key: LIVY-692 > URL: https://issues.apache.org/jira/browse/LIVY-692 > Project: Livy > Issue Type: Bug > Components: Thriftserver > Affects Versions: 0.6.0 > Reporter: Wing Yew Poon > Priority: Major > Time Spent: 10m > Remaining Estimate: 0h > > I tried to use the Thrift server in Livy 0.6. I have a secure cluster, and I > set > {noformat} > livy.server.thrift.authentication=KERBEROS > {noformat} > on the server side. I also have livy.server.auth.kerberos.keytab and > livy.server.auth.kerberos.principal configured. In particular, in my system, > I have > {noformat} > livy.server.auth.kerberos.principal=HTTP/<livy_server>@<REALM> > {noformat} > When I try to connect to the Thrift server using the beeline shipped with > Hive, with > {noformat} > beeline -u > 'jdbc:hive2://<livy_server>:<thrift_port>/<db>;principal=HTTP/<livy_server>@<REALM>' > {noformat} > it fails with > {noformat} > Error: Could not open client transport with JDBC Uri: ... :: Peer indicated > failure: GSS initiate failed (state=08S01,code=0) > {noformat} > On the server side, the log shows > {noformat} > 2019-10-03 15:21:09,536 ERROR org.apache.thrift.transport.TSaslTransport: > SASL negotiation failure > javax.security.sasl.SaslException: GSS initiate failed [Caused by > GSSException: Failure unspecified at GSS-API level (Mechanism level: Invalid > argument (400) - Cannot find key of appropriate type to decrypt AP REP - DES3 > CBC mode with SHA1-KD)] > at > com.sun.security.sasl.gsskerb.GssKrb5Server.evaluateResponse(GssKrb5Server.java:199) > at > org.apache.thrift.transport.TSaslTransport$SaslParticipant.evaluateChallengeOrResponse(TSaslTransport.java:539) > at > org.apache.thrift.transport.TSaslTransport.open(TSaslTransport.java:283) > at > org.apache.thrift.transport.TSaslServerTransport.open(TSaslServerTransport.java:41) > at > org.apache.thrift.transport.TSaslServerTransport$Factory.getTransport(TSaslServerTransport.java:216) > at > org.apache.livy.thriftserver.auth.TUGIAssumingTransportFactory$$anon$1.run(AuthBridgeServer.scala:143) > at > org.apache.livy.thriftserver.auth.TUGIAssumingTransportFactory$$anon$1.run(AuthBridgeServer.scala:142) > at java.security.AccessController.doPrivileged(Native Method) > at javax.security.auth.Subject.doAs(Subject.java:360) > at > org.apache.hadoop.security.UserGroupInformation.doAs(UserGroupInformation.java:1710) > at > org.apache.livy.thriftserver.auth.TUGIAssumingTransportFactory.getTransport(AuthBridgeServer.scala:142) > at > org.apache.thrift.server.TThreadPoolServer$WorkerProcess.run(TThreadPoolServer.java:269) > at > java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) > at > java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) > at java.lang.Thread.run(Thread.java:748) > Caused by: GSSException: Failure unspecified at GSS-API level (Mechanism > level: Invalid argument (400) - Cannot find key of appropriate type to > decrypt AP REP - DES3 CBC mode with SHA1-KD) > at > sun.security.jgss.krb5.Krb5Context.acceptSecContext(Krb5Context.java:856) > at > sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:342) > at > sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:285) > at > com.sun.security.sasl.gsskerb.GssKrb5Server.evaluateResponse(GssKrb5Server.java:167) > ... 14 more > Caused by: KrbException: Invalid argument (400) - Cannot find key of > appropriate type to decrypt AP REP - DES3 CBC mode with SHA1-KD > at sun.security.krb5.KrbApReq.authenticate(KrbApReq.java:278) > at sun.security.krb5.KrbApReq.<init>(KrbApReq.java:149) > at > sun.security.jgss.krb5.InitSecContextToken.<init>(InitSecContextToken.java:108) > at > sun.security.jgss.krb5.Krb5Context.acceptSecContext(Krb5Context.java:829) > ... 17 more > {noformat} > On debugging, I found that the UGI in the TUGIAssumingTransportFactory is not > that of the configured HTTP principal but the UGI of the service principal > (livy). -- This message was sent by Atlassian Jira (v8.3.4#803005)