adding more information.
hive.metastore.HiveMetaStoreClientTest is doing the same thing as the codes
above. and the SHELL script works after we got the ticket with the kinit
#!/usr/bin/env bash
>
> export HIVE_LIBS_DIR=lib/
> export JAVA_OPTS='-Xdebug
> -Xrunjdwp:transport=dt_socket,server=y,suspend=n,address=5005'
>
>
> export
> CLASSPATH=.:./hive-0.0.1-SNAPSHOT.jar:./conf/:$HADOOP_HOME/etc/hadoop/
> for i in ${HIVE_LIBS_DIR}/*.jar ; do
> CLASSPATH=$CLASSPATH:$i
> done
> java $JAVA_OPTS -cp $CLASSPATH hive.metastore.HiveMetaStoreClientTest
On Thu, Jul 27, 2017 at 10:25 PM, wenxing zheng <wenxing.zh...@gmail.com>
wrote:
> Hello Shakti
>
> The configurations mentioned in the link above are all OK and we are able
> to connect to Hive from Kylin and Hive CLI. Even we are able to connect to
> meta store in a JAR package but run with classpath setting with
> HIVE_CONF_DIR.
>
> In our web applications, what we are doing is like the codes below:
>
> HiveConf conf=new HiveConf();
>> File f=new File(ConfUtil.getHiveConfDir()+File.separator+"hive-site.
>> xml");
>> if(f.exists()){
>> conf.addResource(f.toURI().toURL());
>> }
>> else{log.error(f.toString()+"nonexist.");}
>> try{
>> client=new HiveMetaStoreClient(conf);
>> }
>> catch(Exception e){log.error("HiveMetaStoreClient exeception:
>> "+e.getMessage());e.printStackTrace();}
>
>
> Note: our web application deployed as a WAR package under the Jetty
> webapps.
>
> Thanks again,
> Wenxing
>
>
> On Thu, Jul 27, 2017 at 8:58 PM, shakti singh Shekhawat <
> shaktisingh.shekhawa...@gmail.com> wrote:
>
>> Hi Wenxing,
>>
>> Some of the changes I can see in hive-site.xml in Kerberized cluster as
>> compared to our non-kerberized one is:
>> hive.metastore.*sasl.enabled* -->
>> *<value>true</value> --This property is false in non-kerberized
>> cluster*
>> hive.server2.authentication --> <value>KERBEROS</value>
>>
>> Adding the below links(please refer as per your distribution) for your
>> reference for all the properties that are needed to be set in hive-site.xml:
>> https://docs.hortonworks.com/HDPDocuments/HDP2/HDP-2.6.1/bk_
>> security/content/kerb-config-hive-site.html
>> https://www.cloudera.com/documentation/enterprise/5-2-x/
>> topics/cdh_sg_hive_metastore_security.html
>>
>> The error you pasted above also points to SASL issue:
>> 2017-07-27 10:29:16,873 ERROR
>> *org.apache.thrift.transport.**TSaslTransport:SASL
>> negotiation failur*e
>> javax.security.sasl.SaslException: GSS initiate failed [Caused by
>> GSSException: No valid credentials provided
>>
>> Please let me know if the above helps in debugging the issue. Also,
>> please let us know in case you are able to connect to Hive from an edge
>> node or through other tools.
>>
>> Thanks,
>> Shakti
>>
>>
>> On Thu, Jul 27, 2017 at 2:04 AM, wenxing zheng <wenxing.zh...@gmail.com>
>> wrote:
>>
>>> In my web application, I am using the HiveMetaStoreClient setting with
>>> kerberized hive-site.xml.
>>>
>>> Any preconditions to met for the HiveMetaStoreClient to work correctly?
>>>
>>> On Thu, Jul 27, 2017 at 2:02 PM, wenxing zheng <wenxing.zh...@gmail.com>
>>> wrote:
>>>
>>>> still didn't determine the root cause. And happened to find a JIRA
>>>> related with my issue: https://issues.cloudera.org/browse/DISTRO-610.
>>>>
>>>>
>>>>
>>>> On Thu, Jul 27, 2017 at 11:41 AM, wenxing zheng <
>>>> wenxing.zh...@gmail.com> wrote:
>>>>
>>>>> Thanks to Shkti. Will have a try immediately.
>>>>>
>>>>> On Thu, Jul 27, 2017 at 11:15 AM, shakti singh Shekhawat <
>>>>> shaktisingh.shekhawa...@gmail.com> wrote:
>>>>>
>>>>>> Hi Wenxing,
>>>>>>
>>>>>> We recently had the same GSS Tgt issue when we moved to a Kerberized
>>>>>> cluster. The solution that worked for us was "Create a file to define
>>>>>> Java
>>>>>> krb5login and name it as jaas.conf or jaas.java". Jaas authentication
>>>>>> makes
>>>>>> Java applications independent of underlying authentication technology.
>>>>>>
>>>>>> Please refer the below link from Oracle (or search for "How to add
>>>>>> jaas configuration" in Google to see the 1st link in case the below link
>>>>>> does not work) for your application.
>>>>>> http://docs.oracle.com/javase/7/docs/technotes/guides/securi
>>>>>> ty/jgss/tutorials/LoginConfigFile.html
>>>>>>
>>>>>> Thanks,
>>>>>> Shakti Singh Shekhawat
>>>>>>
>>>>>> On Wed, Jul 26, 2017 at 10:42 PM wenxing zheng <
>>>>>> wenxing.zh...@gmail.com> wrote:
>>>>>>
>>>>>>> Dear all,
>>>>>>>
>>>>>>> We have a Hive in 2.1.1 and a web application running against the
>>>>>>> Hive server. Before enabling the Kerberos, everything is OK. But after
>>>>>>> enabling the Kerberos, it always failed to do the authentication.
>>>>>>>
>>>>>>> - web application runs with: Jetty, hive client version: 1.2.1
>>>>>>> and JDK 1.7
>>>>>>> - Hive runs with JDK 1.8
>>>>>>> - but both JDKs are running with JCE jars.
>>>>>>>
>>>>>>>
>>>>>>> Followings are the errors:
>>>>>>>
>>>>>>>>
>>>>>>>> 2017-07-27 10:29:16,622 INFO hive.metastore:Trying to connect to
>>>>>>>> metastore with URI thrift://hdp-cli-01.dataservice.net:9083
>>>>>>>> 2017-07-27 10:29:16,793 WARN
>>>>>>>> org.apache.hadoop.util.NativeCodeLoader:Unable
>>>>>>>> to load native-hadoop library for your platform... using builtin-java
>>>>>>>> classes where applicable
>>>>>>>> 2017-07-27 10:29:16,873 ERROR
>>>>>>>> org.apache.thrift.transport.TSaslTransport:SASL
>>>>>>>> negotiation failure
>>>>>>>> javax.security.sasl.SaslException: GSS initiate failed [Caused by
>>>>>>>> GSSException: No valid credentials provided (Mechanism level: Failed to
>>>>>>>> find any Kerberos tgt)]
>>>>>>>> at com.sun.security.sasl.gsskerb.GssKrb5Client.evaluateChalleng
>>>>>>>> e(GssKrb5Client.java:212)
>>>>>>>> at org.apache.thrift.transport.TSaslClientTransport.handleSaslS
>>>>>>>> tartMessage(TSaslClientTransport.java:94)
>>>>>>>> at org.apache.thrift.transport.TSaslTransport.open(TSaslTranspo
>>>>>>>> rt.java:271)
>>>>>>>> at org.apache.thrift.transport.TSaslClientTransport.open(TSaslC
>>>>>>>> lientTransport.java:37)
>>>>>>>> at org.apache.hadoop.hive.thrift.client.TUGIAssumingTransport$1
>>>>>>>> .run(TUGIAssumingTransport.java:52)
>>>>>>>> at org.apache.hadoop.hive.thrift.client.TUGIAssumingTransport$1
>>>>>>>> .run(TUGIAssumingTransport.java:49)
>>>>>>>> at java.security.AccessController.doPrivileged(Native Method)
>>>>>>>> at javax.security.auth.Subject.doAs(Subject.java:415)
>>>>>>>> at org.apache.hadoop.security.UserGroupInformation.doAs(UserGro
>>>>>>>> upInformation.java:1657)
>>>>>>>> at org.apache.hadoop.hive.thrift.client.TUGIAssumingTransport.o
>>>>>>>> pen(TUGIAssumingTransport.java:49)
>>>>>>>> at org.apache.hadoop.hive.metastore.HiveMetaStoreClient.open(Hi
>>>>>>>> veMetaStoreClient.java:420)
>>>>>>>> at org.apache.hadoop.hive.metastore.HiveMetaStoreClient.<init>(
>>>>>>>> HiveMetaStoreClient.java:236)
>>>>>>>> at org.apache.hadoop.hive.metastore.HiveMetaStoreClient.<init>(
>>>>>>>> HiveMetaStoreClient.java:181)
>>>>>>>> at com.taobao.zeus.store.CliTableManager.initClient(CliTableMan
>>>>>>>> ager.java:60)
>>>>>>>> at com.taobao.zeus.store.CliTableManager.<init>(CliTableManager
>>>>>>>> .java:47)
>>>>>>>> at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native
>>>>>>>> Method)
>>>>>>>> at sun.reflect.NativeConstructorAccessorImpl.newInstance(Native
>>>>>>>> ConstructorAccessorImpl.java:57)
>>>>>>>> at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(De
>>>>>>>> legatingConstructorAccessorImpl.java:45)
>>>>>>>> at java.lang.reflect.Constructor.newInstance(Constructor.java:526)
>>>>>>>> at org.springframework.beans.BeanUtils.instantiateClass(BeanUti
>>>>>>>> ls.java:100)
>>>>>>>> at org.springframework.beans.factory.support.SimpleInstantiatio
>>>>>>>> nStrategy.instantiate(SimpleInstantiationStrategy.java:61)
>>>>>>>> at org.springframework.beans.factory.support.AbstractAutowireCa
>>>>>>>> pableBeanFactory.instantiateBean(AbstractAutowireCapableBean
>>>>>>>> Factory.java:877)
>>>>>>>> at org.springframework.beans.factory.support.AbstractAutowireCa
>>>>>>>> pableBeanFactory.createBeanInstance(AbstractAutowireCapableB
>>>>>>>> eanFactory.java:839)
>>>>>>>> at org.springframework.beans.factory.support.AbstractAutowireCa
>>>>>>>> pableBeanFactory.doCreateBean(AbstractAutowireCapableBeanFac
>>>>>>>> tory.java:440)
>>>>>>>> at org.springframework.beans.factory.support.AbstractAutowireCa
>>>>>>>> pableBeanFactory$1.run(AbstractAutowireCapableBeanFactory.java:409)
>>>>>>>> at java.security.AccessController.doPrivileged(Native Method)
>>>>>>>> at org.springframework.beans.factory.support.AbstractAutowireCa
>>>>>>>> pableBeanFactory.createBean(AbstractAutowireCapableBeanFacto
>>>>>>>> ry.java:380)
>>>>>>>> at org.springframework.beans.factory.support.AbstractBeanFactor
>>>>>>>> y$1.getObject(AbstractBeanFactory.java:264)
>>>>>>>> at org.springframework.beans.factory.support.DefaultSingletonBe
>>>>>>>> anRegistry.getSingleton(DefaultSingletonBeanRegistry.java:222)
>>>>>>>> at org.springframework.beans.factory.support.AbstractBeanFactor
>>>>>>>> y.doGetBean(AbstractBeanFactory.java:261)
>>>>>>>> at org.springframework.beans.factory.support.AbstractBeanFactor
>>>>>>>> y.getBean(AbstractBeanFactory.java:185)
>>>>>>>> at org.springframework.beans.factory.support.AbstractBeanFactor
>>>>>>>> y.getBean(AbstractBeanFactory.java:164)
>>>>>>>> at org.springframework.beans.factory.support.DefaultListableBea
>>>>>>>> nFactory.findAutowireCandidates(DefaultListableBeanFactory.j
>>>>>>>> ava:671)
>>>>>>>> at org.springframework.beans.factory.support.DefaultListableBea
>>>>>>>> nFactory.resolveDependency(DefaultListableBeanFactory.java:610)
>>>>>>>> at org.springframework.beans.factory.annotation.AutowiredAnnota
>>>>>>>> tionBeanPostProcessor$AutowiredFieldElement.inject(Autowired
>>>>>>>> AnnotationBeanPostProcessor.java:412)
>>>>>>>> at org.springframework.beans.factory.annotation.InjectionMetada
>>>>>>>> ta.injectFields(InjectionMetadata.java:105)
>>>>>>>> at org.springframework.beans.factory.annotation.AutowiredAnnota
>>>>>>>> tionBeanPostProcessor.postProcessAfterInstantiation(Autowire
>>>>>>>> dAnnotationBeanPostProcessor.java:240)
>>>>>>>> at org.springframework.beans.factory.support.AbstractAutowireCa
>>>>>>>> pableBeanFactory.populateBean(AbstractAutowireCapableBeanFac
>>>>>>>> tory.java:959)
>>>>>>>> at org.springframework.beans.factory.support.AbstractAutowireCa
>>>>>>>> pableBeanFactory.doCreateBean(AbstractAutowireCapableBeanFac
>>>>>>>> tory.java:472)
>>>>>>>> at org.springframework.beans.factory.support.AbstractAutowireCa
>>>>>>>> pableBeanFactory$1.run(AbstractAutowireCapableBeanFactory.java:409)
>>>>>>>> at java.security.AccessController.doPrivileged(Native Method)
>>>>>>>> at org.springframework.beans.factory.support.AbstractAutowireCa
>>>>>>>> pableBeanFactory.createBean(AbstractAutowireCapableBeanFacto
>>>>>>>> ry.java:380)
>>>>>>>> at org.springframework.beans.factory.support.AbstractBeanFactor
>>>>>>>> y$1.getObject(AbstractBeanFactory.java:264)
>>>>>>>> at org.springframework.beans.factory.support.DefaultSingletonBe
>>>>>>>> anRegistry.getSingleton(DefaultSingletonBeanRegistry.java:222)
>>>>>>>> at org.springframework.beans.factory.support.AbstractBeanFactor
>>>>>>>> y.doGetBean(AbstractBeanFactory.java:261)
>>>>>>>> at org.springframework.beans.factory.support.AbstractBeanFactor
>>>>>>>> y.getBean(AbstractBeanFactory.java:185)
>>>>>>>> at org.springframework.beans.factory.support.AbstractBeanFactor
>>>>>>>> y.getBean(AbstractBeanFactory.java:164)
>>>>>>>> at org.springframework.beans.factory.support.DefaultListableBea
>>>>>>>> nFactory.preInstantiateSingletons(DefaultListableBeanFactory
>>>>>>>> .java:429)
>>>>>>>> at org.springframework.context.support.AbstractApplicationConte
>>>>>>>> xt.finishBeanFactoryInitialization(AbstractApplicationContex
>>>>>>>> t.java:728)
>>>>>>>> at org.springframework.context.support.AbstractApplicationConte
>>>>>>>> xt.refresh(AbstractApplicationContext.java:380)
>>>>>>>> at org.springframework.web.context.ContextLoader.createWebAppli
>>>>>>>> cationContext(ContextLoader.java:255)
>>>>>>>> at org.springframework.web.context.ContextLoader.initWebApplica
>>>>>>>> tionContext(ContextLoader.java:199)
>>>>>>>> at org.springframework.web.context.ContextLoaderListener.contex
>>>>>>>> tInitialized(ContextLoaderListener.java:45)
>>>>>>>> at org.eclipse.jetty.server.handler.ContextHandler.callContextI
>>>>>>>> nitialized(ContextHandler.java:800)
>>>>>>>> at org.eclipse.jetty.servlet.ServletContextHandler.callContextI
>>>>>>>> nitialized(ServletContextHandler.java:444)
>>>>>>>> at org.eclipse.jetty.server.handler.ContextHandler.startContext
>>>>>>>> (ContextHandler.java:791)
>>>>>>>> at org.eclipse.jetty.servlet.ServletContextHandler.startContext
>>>>>>>> (ServletContextHandler.java:294)
>>>>>>>> at org.eclipse.jetty.webapp.WebAppContext.startWebapp(WebAppCon
>>>>>>>> text.java:1349)
>>>>>>>> at org.eclipse.jetty.webapp.WebAppContext.startContext(WebAppCo
>>>>>>>> ntext.java:1342)
>>>>>>>> at org.eclipse.jetty.server.handler.ContextHandler.doStart(Cont
>>>>>>>> extHandler.java:741)
>>>>>>>> at org.eclipse.jetty.webapp.WebAppContext.doStart(WebAppContext
>>>>>>>> .java:505)
>>>>>>>> at org.eclipse.jetty.util.component.AbstractLifeCycle.start(Abs
>>>>>>>> tractLifeCycle.java:68)
>>>>>>>> at org.eclipse.jetty.deploy.bindings.StandardStarter.processBin
>>>>>>>> ding(StandardStarter.java:41)
>>>>>>>> at org.eclipse.jetty.deploy.AppLifeCycle.runBindings(AppLifeCyc
>>>>>>>> le.java:186)
>>>>>>>> at org.eclipse.jetty.deploy.DeploymentManager.requestAppGoal(De
>>>>>>>> ploymentManager.java:498)
>>>>>>>> at org.eclipse.jetty.deploy.DeploymentManager.addApp(Deployment
>>>>>>>> Manager.java:146)
>>>>>>>> at org.eclipse.jetty.deploy.providers.ScanningAppProvider.fileA
>>>>>>>> dded(ScanningAppProvider.java:180)
>>>>>>>> at org.eclipse.jetty.deploy.providers.WebAppProvider.fileAdded(
>>>>>>>> WebAppProvider.java:440)
>>>>>>>> at org.eclipse.jetty.deploy.providers.ScanningAppProvider$1.fil
>>>>>>>> eAdded(ScanningAppProvider.java:64)
>>>>>>>> at org.eclipse.jetty.util.Scanner.reportAddition(Scanner.java:609)
>>>>>>>> at org.eclipse.jetty.util.Scanner.reportDifferences(Scanner.jav
>>>>>>>> a:528)
>>>>>>>> at org.eclipse.jetty.util.Scanner.scan(Scanner.java:391)
>>>>>>>> at org.eclipse.jetty.util.Scanner.doStart(Scanner.java:313)
>>>>>>>> at org.eclipse.jetty.util.component.AbstractLifeCycle.start(Abs
>>>>>>>> tractLifeCycle.java:68)
>>>>>>>> at org.eclipse.jetty.deploy.providers.ScanningAppProvider.doSta
>>>>>>>> rt(ScanningAppProvider.java:150)
>>>>>>>> at org.eclipse.jetty.util.component.AbstractLifeCycle.start(Abs
>>>>>>>> tractLifeCycle.java:68)
>>>>>>>> at org.eclipse.jetty.deploy.DeploymentManager.startAppProvider(
>>>>>>>> DeploymentManager.java:560)
>>>>>>>> at org.eclipse.jetty.deploy.DeploymentManager.doStart(Deploymen
>>>>>>>> tManager.java:235)
>>>>>>>> at org.eclipse.jetty.util.component.AbstractLifeCycle.start(Abs
>>>>>>>> tractLifeCycle.java:68)
>>>>>>>> at org.eclipse.jetty.util.component.ContainerLifeCycle.start(Co
>>>>>>>> ntainerLifeCycle.java:132)
>>>>>>>> at org.eclipse.jetty.server.Server.start(Server.java:387)
>>>>>>>> at org.eclipse.jetty.util.component.ContainerLifeCycle.doStart(
>>>>>>>> ContainerLifeCycle.java:114)
>>>>>>>> at org.eclipse.jetty.server.handler.AbstractHandler.doStart(Abs
>>>>>>>> tractHandler.java:61)
>>>>>>>> at org.eclipse.jetty.server.Server.doStart(Server.java:354)
>>>>>>>> at org.eclipse.jetty.util.component.AbstractLifeCycle.start(Abs
>>>>>>>> tractLifeCycle.java:68)
>>>>>>>> at org.eclipse.jetty.xml.XmlConfiguration$1.run(XmlConfiguratio
>>>>>>>> n.java:1255)
>>>>>>>> at java.security.AccessController.doPrivileged(Native Method)
>>>>>>>> at org.eclipse.jetty.xml.XmlConfiguration.main(XmlConfiguration
>>>>>>>> .java:1174)
>>>>>>>> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
>>>>>>>> at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAcce
>>>>>>>> ssorImpl.java:57)
>>>>>>>> at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMe
>>>>>>>> thodAccessorImpl.java:43)
>>>>>>>> at java.lang.reflect.Method.invoke(Method.java:606)
>>>>>>>> at org.eclipse.jetty.start.Main.invokeMain(Main.java:321)
>>>>>>>> at org.eclipse.jetty.start.Main.start(Main.java:817)
>>>>>>>> at org.eclipse.jetty.start.Main.main(Main.java:112)
>>>>>>>> Caused by: GSSException: No valid credentials provided (Mechanism
>>>>>>>> level: Failed to find any Kerberos tgt)
>>>>>>>> at sun.security.jgss.krb5.Krb5InitCredential.getInstance(Krb5In
>>>>>>>> itCredential.java:147)
>>>>>>>> at sun.security.jgss.krb5.Krb5MechFactory.getCredentialElement(
>>>>>>>> Krb5MechFactory.java:121)
>>>>>>>> at sun.security.jgss.krb5.Krb5MechFactory.getMechanismContext(K
>>>>>>>> rb5MechFactory.java:187)
>>>>>>>> at sun.security.jgss.GSSManagerImpl.getMechanismContext(GSSMana
>>>>>>>> gerImpl.java:223)
>>>>>>>> at sun.security.jgss.GSSContextImpl.initSecContext(GSSContextIm
>>>>>>>> pl.java:212)
>>>>>>>> at sun.security.jgss.GSSContextImpl.initSecContext(GSSContextIm
>>>>>>>> pl.java:179)
>>>>>>>> at com.sun.security.sasl.gsskerb.GssKrb5Client.evaluateChalleng
>>>>>>>> e(GssKrb5Client.java:193)
>>>>>>>> ... 94 more
>>>>>>>
>>>>>>>
>>>>>>> Appreciated for your advice.
>>>>>>> Kind Regards, Wenxing
>>>>>>>
>>>>>>
>>>>>
>>>>
>>>
>>
>
