Hi Loic, One possible solution is if hive.server2.enable.doAs is set false in hive-site.xml, you can change it to true and restart HiveServer2. And then try to connect via beeline.
Cheers, On Wed, Sep 9, 2015 at 8:02 AM, Loïc Chanel <loic.cha...@telecomnancy.net> wrote: > Hi guys ! > > Sorry to interrupt but I need to go back to the first reason of this > thread : I can't connect to hive anymore. > I upgraded my cluster to HDP 2.3, and I saw that the way to connect to > Hive via Beeline & Kerberos hasn't changed, but the exact command that > worked before doesn't work anymore. > Instead of connecting, Beeline returns me : > Error: Failed to open new session: java.lang.RuntimeException: > java.lang.RuntimeException: > org.apache.hadoop.ipc.RemoteException(org.apache.hadoop.security.authorize.AuthorizationException): > User: hive/hiveserverh...@example.com is not allowed to impersonate > testUser (state=,code=0) > > The logs are not more explicit, as there is an exception with the same > conclusion : Caused by: > org.apache.hadoop.ipc.RemoteException(org.apache.hadoop.security.authorize.AuthorizationException): > User: hive/hiveserverh...@example.com is not allowed to impersonate > testUser > > Do any of you have an idea about where this could come from ? > > > > Loïc CHANEL > Engineering student at TELECOM Nancy > Trainee at Worldline - Villeurbanne > > 2015-08-31 13:51 GMT+02:00 Lars Francke <lars.fran...@gmail.com>: > >> That said, +1 to adding a check that we are using kerberos and skipping >>> the prompt if we are. I think we probably don't even need to parse the URL >>> to detect that. Just checking on the auth type property( >>> hive.server2.authentication) is KERBEROS or not should do the trick. >>> >> >> I have not looked into this at all but Beeline being a generic client >> does it even use that property? I mean I could connect to any server, >> right? Will try to take a look. >> >> >>> [1] >>> https://github.com/apache/hive/blob/3991dba30c5068cac296f32e24e97cf87efa266c/jdbc/src/java/org/apache/hive/jdbc/HiveConnection.java#L450-L455 >>> >>> On Wed, Aug 26, 2015 at 5:40 PM, Lars Francke <lars.fran...@gmail.com> >>> wrote: >>> >>>> >>>> On Wed, Aug 26, 2015 at 4:53 PM, kulkarni.swar...@gmail.com < >>>> kulkarni.swar...@gmail.com> wrote: >>>> >>>>> > my understanding is that after using kerberos authentication, you >>>>> probably don’t need the password. >>>>> >>>>> That is not an accurate statement. Beeline is a JDBC client as >>>>> compared to Hive CLI which is a thrift client to talk to HIveServer2. So >>>>> it >>>>> would need the password to establish that JDBC connection. If you look at >>>>> the beeline console code[1], it actually first tries to read the >>>>> "javax.jdo.option.ConnectionUserName" and >>>>> "javax.jdo.option.ConnectionPassword" property which is the same username >>>>> and password that you have setup your backing metastore DB with. If it is >>>>> MySWL, it would be the password you set MySQL with or empty if you >>>>> haven't(or are using derby). Kerberos is merely a tool for you to >>>>> authenticate yourself so that you cannot impersonate yourself as someone >>>>> else. >>>>> >>>> >>>> I don't think what you're saying is accurate. >>>> >>>> 1) Hive CLI does not talk to HiveServer2 >>>> >>>> 2) Beeline talks to HiveServer2 and needs some way to authenticate >>>> itself depending on the configuration of HS2. >>>> >>>> HS2 can be configured to authenticate in one of these ways if I'm up to >>>> date: >>>> >>>> * NOSASL: no password needed >>>> * KERBEROS (SASL): no password needed >>>> * NONE (SASL) using the AnonymousAuthenticationProviderImpl: no >>>> password needed >>>> * LDAP (SASL) using the LdapAuthenticationProviderImpl: username and >>>> password required >>>> * PAM (SASL) using the PamAuthenticationProviderImpl: username and >>>> password required >>>> * CUSTOM (SASL) using the CustomAuthenticationProviderImpl: username >>>> and password required >>>> >>>> By tar the most common configurations are NONE (default I think) and >>>> KERBEROS. Both don't need a username and password provided so it does not >>>> make sense to ask for one every time. >>>> >>>> The only good reason I can think of to ask for a password is so that it >>>> doesn't appear in a shell/beeline history and/or on screen. I'm sure there >>>> are others? >>>> The username can be safely provided in the URL if needed so I don't >>>> think asking for that every time is reasonable either. >>>> >>>> What would be a good way to deal with this? I'm tempted to just rip out >>>> those prompts. The other option would be to parse the connection URL and >>>> check whether it's the Kerberos mode. >>>> >>>>> >>>>> [1] >>>>> https://github.com/apache/hive/blob/3991dba30c5068cac296f32e24e97cf87efa266c/beeline/src/java/org/apache/hive/beeline/Commands.java#L1117-L1125 >>>>> >>>>> On Wed, Aug 26, 2015 at 10:13 AM, Loïc Chanel < >>>>> loic.cha...@telecomnancy.net> wrote: >>>>> >>>>>> Here it is : https://issues.apache.org/jira/browse/HIVE-11653 >>>>>> >>>>>> Loïc CHANEL >>>>>> Engineering student at TELECOM Nancy >>>>>> Trainee at Worldline - Villeurbanne >>>>>> >>>>>> 2015-08-25 23:10 GMT+02:00 Sergey Shelukhin <ser...@hortonworks.com>: >>>>>> >>>>>>> Sure! >>>>>>> >>>>>>> From: Loïc Chanel <loic.cha...@telecomnancy.net> >>>>>>> Reply-To: "user@hive.apache.org" <user@hive.apache.org> >>>>>>> Date: Tuesday, August 25, 2015 at 00:23 >>>>>>> >>>>>>> To: "user@hive.apache.org" <user@hive.apache.org> >>>>>>> Subject: Re: HiveServer2 & Kerberos >>>>>>> >>>>>>> It is the case. >>>>>>> Would you like me to fill a JIRA about it ? >>>>>>> >>>>>>> Loïc CHANEL >>>>>>> Engineering student at TELECOM Nancy >>>>>>> Trainee at Worldline - Villeurbanne >>>>>>> >>>>>>> 2015-08-24 19:24 GMT+02:00 Sergey Shelukhin <ser...@hortonworks.com> >>>>>>> : >>>>>>> >>>>>>>> If that is the case it sounds like a bug… >>>>>>>> >>>>>>>> From: Jary Du <jary...@gmail.com> >>>>>>>> Reply-To: "user@hive.apache.org" <user@hive.apache.org> >>>>>>>> Date: Thursday, August 20, 2015 at 08:56 >>>>>>>> To: "user@hive.apache.org" <user@hive.apache.org> >>>>>>>> Subject: Re: HiveServer2 & Kerberos >>>>>>>> >>>>>>>> My understanding is that it will always ask you user/password even >>>>>>>> though you don’t need them. It is just the way how hive is setup. >>>>>>>> >>>>>>>> On Aug 20, 2015, at 8:28 AM, Loïc Chanel < >>>>>>>> loic.cha...@telecomnancy.net> wrote: >>>>>>>> >>>>>>>> !connect jdbc:hive2:// >>>>>>>> 192.168.6.210:10000/db;principal=hive/hiveh...@westeros.wl >>>>>>>> org.apache.hive.jdbc.HiveDriver >>>>>>>> scan complete in 13ms >>>>>>>> Connecting to jdbc:hive2:// >>>>>>>> 192.168.6.210:10000/db;principal=hive/hiveh...@westeros.wl >>>>>>>> Enter password for jdbc:hive2:// >>>>>>>> 192.168.6.210:10000/chaneldb;principal=hive/hiveh...@westeros.wl: >>>>>>>> >>>>>>>> And if I press enter everything works perfectly, because I am using >>>>>>>> Kerberos authentication, that's actually why I was asking what is Hive >>>>>>>> asking for, because in my case, it seems that I shouldn't be asked for >>>>>>>> a >>>>>>>> password when connecting. >>>>>>>> >>>>>>>> Loïc CHANEL >>>>>>>> Engineering student at TELECOM Nancy >>>>>>>> Trainee at Worldline - Villeurbanne >>>>>>>> >>>>>>>> 2015-08-20 17:06 GMT+02:00 Jary Du <jary...@gmail.com>: >>>>>>>> >>>>>>>>> How does Beeline ask you? What happens if you just press enter? >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> On Aug 20, 2015, at 12:15 AM, Loïc Chanel < >>>>>>>>> loic.cha...@telecomnancy.net> wrote: >>>>>>>>> >>>>>>>>> Indeed, I don't need the password, but why is Beeline asking me >>>>>>>>> for one ? To what does it correspond ? >>>>>>>>> >>>>>>>>> Thanks again, >>>>>>>>> >>>>>>>>> >>>>>>>>> Loïc >>>>>>>>> >>>>>>>>> Loïc CHANEL >>>>>>>>> Engineering student at TELECOM Nancy >>>>>>>>> Trainee at Worldline - Villeurbanne >>>>>>>>> >>>>>>>>> 2015-08-19 18:22 GMT+02:00 Jary Du <jary...@gmail.com>: >>>>>>>>> >>>>>>>>>> Correct me if I am wrong, my understanding is that after using >>>>>>>>>> kerberos authentication, you probably don’t need the password. >>>>>>>>>> >>>>>>>>>> Hope it helps >>>>>>>>>> >>>>>>>>>> Thanks, >>>>>>>>>> Jary >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> On Aug 19, 2015, at 9:09 AM, Loïc Chanel < >>>>>>>>>> loic.cha...@telecomnancy.net> wrote: >>>>>>>>>> >>>>>>>>>> By the way, thanks a lot for your help, because your solution >>>>>>>>>> works, but I'm still interested in knowing what is the password I >>>>>>>>>> did not >>>>>>>>>> enter. >>>>>>>>>> >>>>>>>>>> Thanks again, >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> Loïc >>>>>>>>>> >>>>>>>>>> Loïc CHANEL >>>>>>>>>> Engineering student at TELECOM Nancy >>>>>>>>>> Trainee at Worldline - Villeurbanne >>>>>>>>>> >>>>>>>>>> 2015-08-19 18:07 GMT+02:00 Loïc Chanel < >>>>>>>>>> loic.cha...@telecomnancy.net>: >>>>>>>>>> >>>>>>>>>>> All right, but then, what is the password hive asks for ? Hive's >>>>>>>>>>> one ? How do I know its value ? >>>>>>>>>>> >>>>>>>>>>> Loïc CHANEL >>>>>>>>>>> Engineering student at TELECOM Nancy >>>>>>>>>>> Trainee at Worldline - Villeurbanne >>>>>>>>>>> >>>>>>>>>>> 2015-08-19 17:51 GMT+02:00 Jary Du <jary...@gmail.com>: >>>>>>>>>>> >>>>>>>>>>>> For Beeline connection string, it should be "!connect >>>>>>>>>>>> jdbc:hive2://<host>:<port>/<db>;principal=<Server_Principal_of_HiveServer2>”. >>>>>>>>>>>> Please >>>>>>>>>>>> make sure it is the hive’s principal, not the user’s. And when you >>>>>>>>>>>> kinit, >>>>>>>>>>>> it should be kinit user’s keytab, not the hive’s keytab. >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> On Aug 19, 2015, at 8:46 AM, Loïc Chanel < >>>>>>>>>>>> loic.cha...@telecomnancy.net> wrote: >>>>>>>>>>>> >>>>>>>>>>>> Yeah, I forgot to mention it, but each time I did a kinit >>>>>>>>>>>> user/hive before launching beeline, as I read somewhere that >>>>>>>>>>>> Beeline does >>>>>>>>>>>> not handle Kerberos connection. >>>>>>>>>>>> >>>>>>>>>>>> So, as I can make klist before launching beeline and having a >>>>>>>>>>>> good result, the problem does not come from this. Thanks a lot for >>>>>>>>>>>> your >>>>>>>>>>>> response though. >>>>>>>>>>>> Do you have another idea ? >>>>>>>>>>>> >>>>>>>>>>>> Loïc CHANEL >>>>>>>>>>>> Engineering student at TELECOM Nancy >>>>>>>>>>>> Trainee at Worldline - Villeurbanne >>>>>>>>>>>> >>>>>>>>>>>> 2015-08-19 17:42 GMT+02:00 Jary Du <jary...@gmail.com>: >>>>>>>>>>>> >>>>>>>>>>>>> "The Beeline client must have a valid Kerberos ticket in the >>>>>>>>>>>>> ticket cache before attempting to connect." ( >>>>>>>>>>>>> http://docs.hortonworks.com/HDPDocuments/HDP2/HDP-2.1.3/bk_dataintegration/content/ch_using-hive-clients-examples.html >>>>>>>>>>>>> ) >>>>>>>>>>>>> >>>>>>>>>>>>> So you need kinit first to have the valid Kerberos ticket int >>>>>>>>>>>>> the ticket cache before using beeline to connect to HS2. >>>>>>>>>>>>> >>>>>>>>>>>>> Jary >>>>>>>>>>>>> >>>>>>>>>>>>> On Aug 19, 2015, at 8:36 AM, Loïc Chanel < >>>>>>>>>>>>> loic.cha...@telecomnancy.net> wrote: >>>>>>>>>>>>> >>>>>>>>>>>>> Hi again, >>>>>>>>>>>>> >>>>>>>>>>>>> As I searched another way to make some requests with Kerberos >>>>>>>>>>>>> enabled for security on HiveServer, I found that this request >>>>>>>>>>>>> should do the >>>>>>>>>>>>> same : >>>>>>>>>>>>> !connect jdbc:hive2:// >>>>>>>>>>>>> 192.168.6.210:10000/default;principal=user/h...@westeros.wl >>>>>>>>>>>>> org.apache.hive.jdbc.HiveDriver >>>>>>>>>>>>> But now I've got another error : >>>>>>>>>>>>> Error: Could not open client transport with JDBC Uri: >>>>>>>>>>>>> jdbc:hive2:// >>>>>>>>>>>>> 192.168.6.210:10000/default;principal=user/h...@westeros.wl: >>>>>>>>>>>>> Peer indicated failure: GSS initiate failed (state=08S01,code=0) >>>>>>>>>>>>> >>>>>>>>>>>>> As I saw that it was maybe a simple Kerberos ticket related >>>>>>>>>>>>> problem, I tried to re-generate Kerberos keytabs, and to ensure >>>>>>>>>>>>> that Hive >>>>>>>>>>>>> has the path to access to its keytab, but nothing changed. >>>>>>>>>>>>> >>>>>>>>>>>>> Does anyone has an idea about how to solve this issue ? >>>>>>>>>>>>> >>>>>>>>>>>>> Thanks in advance for your help :) >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> Loïc >>>>>>>>>>>>> >>>>>>>>>>>>> Loïc CHANEL >>>>>>>>>>>>> Engineering student at TELECOM Nancy >>>>>>>>>>>>> Trainee at Worldline - Villeurbanne >>>>>>>>>>>>> >>>>>>>>>>>>> 2015-08-19 12:01 GMT+02:00 Loïc Chanel < >>>>>>>>>>>>> loic.cha...@telecomnancy.net>: >>>>>>>>>>>>> >>>>>>>>>>>>>> Hi all, >>>>>>>>>>>>>> >>>>>>>>>>>>>> I have a little issue with HiveServer2 since I have enabled >>>>>>>>>>>>>> Kerberos. I'm unable to connect to the service via Beeline. When >>>>>>>>>>>>>> doing >>>>>>>>>>>>>> !connect jdbc:hive2://192.168.6.210:10000 hive hive >>>>>>>>>>>>>> org.apache.hive.jdbc.HiveDriver >>>>>>>>>>>>>> I keep receiving the same error : >>>>>>>>>>>>>> Error: Could not open client transport with JDBC Uri: >>>>>>>>>>>>>> jdbc:hive2://192.168.6.210:10000: Peer indicated failure: >>>>>>>>>>>>>> Unsupported mechanism type PLAIN (state=08S01,code=0) >>>>>>>>>>>>>> >>>>>>>>>>>>>> Does anyone had the same problem ? Or know how to solve it ? >>>>>>>>>>>>>> Thanks in advance, >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> Loïc >>>>>>>>>>>>>> >>>>>>>>>>>>>> Loïc CHANEL >>>>>>>>>>>>>> Engineering student at TELECOM Nancy >>>>>>>>>>>>>> Trainee at Worldline - Villeurbanne >>>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>> >>>>>>>> >>>>>>> >>>>>> >>>>> >>>>> >>>>> -- >>>>> Swarnim >>>>> >>>> >>>> >>> >>> >>> -- >>> Swarnim >>> >> >> > -- Takahiko Saito