I do know of others using spotfire for JDBC through to HS2. So that is definitely a usecase that works - I do not believe that they are using Hadoop Auth Provider though.
If you are going to open a support ticket with hortonworks then we will see where it goes from there. On Sat, Feb 25, 2017 at 12:37 PM, Greg Senia <[email protected]> wrote: > Hi Larry, > > Sorry for delayed response but we have gotten Beeline to work with > Kerberos against Knox gateway. It only doesn’t work when spitfire makes a > JDBC call with the delegated Kerberos ticket on behalf of the user. We’ve > done lots of debug. I think I may open a ticket up with HWX since we do > have support. Would you be willing to hop on a call and discuss at some > point and maybe we can show you the issue on a webex. > > -Greg > > > On Feb 21, 2017, at 3:02 PM, larry mccay <[email protected]> wrote: > > Hi Greg - > > Sorry for the delayed response here... > > Let's try and remove Spotfire from the equation first. > Try getting a simple curl request to WebHDFS working with --negotiate > before moving on to Spotfire/JDBC access. > > Let me know what you see in the related logs for that interaction. > > thanks, > > --larry > > > On Fri, Feb 17, 2017 at 12:01 PM, Greg Senia <[email protected]> wrote: > >> Hi, >> >> Not sure if anyone has encountered this. We have a Hadoop Cluster that is >> secured behind firewalls and the cluster is kerberized and we would like to >> use Knox to allow access to HiveServer2 using the httpthrift service. We >> have Tibco Spotfire setup to allow kerberos delegation to occur to HS2 so >> that it makes the call with the users kerberos context to Knox (using >> HadoopAuth) mechanism which is proxying the request to HS2 (this fails). >> When we allow Tibco Spotfire setup to allow kerberos delegation to occur to >> HS2 directly without Knox this works. Is this a bug in Knox 0.9 or >> something that has not been supported. I’ve attached the config files which >> are scrubbed of identifying info. Let me know thoughts on this. Have >> performed lots of debug and basically the failing request to knox makes it >> all the way to HS2 but Knox is terminating the requests and causing Hive to >> fail. >> >> >> Error from Hive JDBC driver on SpotFire side this does not occur when >> going directly to HS2 with httpthrift only when going at Knox using Knox’s >> HadoopAuth plugin: >> >> ERROR 2017-02-16T23:59:42,571-0500 [EXAMPLE-CORP\GSS2002, #39, #473] >> api.common.InformationModelServiceCommon: Error retrieving metadata: >> org.apache.http.client.ClientProtocolException >> com.spotfire.ws.api.common.InformationModelWebServiceException: Error >> retrieving metadata: org.apache.http.client.ClientProtocolException >> at com.spotfire.ws.api.common.InformationModelServiceCommon.wra >> pException(InformationModelServiceCommon.java:135) >> at com.spotfire.ws.api.common.InformationModelServiceCommon.wra >> pException(InformationModelServiceCommon.java:69) >> at com.spotfire.ws.api.element.ElementManagerService.listDataSo >> urceElements(ElementManagerService.java:397) >> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) >> at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAcce >> ssorImpl.java:62) >> at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMe >> thodAccessorImpl.java:43) >> at java.lang.reflect.Method.invoke(Method.java:498) >> at org.apache.cxf.service.invoker.AbstractInvoker.performInvoca >> tion(AbstractInvoker.java:181) >> at org.apache.cxf.service.invoker.AbstractInvoker.invoke( >> AbstractInvoker.java:97) >> at org.apache.cxf.jaxws.AbstractJAXWSMethodInvoker.invoke(Abstr >> actJAXWSMethodInvoker.java:232) >> at org.apache.cxf.jaxws.JAXWSMethodInvoker.invoke(JAXWSMethodIn >> voker.java:69) >> at org.apache.cxf.service.invoker.AbstractInvoker.invoke( >> AbstractInvoker.java:75) >> at org.apache.cxf.interceptor.ServiceInvokerInterceptor$1.run( >> ServiceInvokerInterceptor.java:59) >> at java.util.concurrent.Executors$RunnableAdapter.call( >> Executors.java:511) >> at java.util.concurrent.FutureTask.run(FutureTask.java:266) >> at org.apache.cxf.interceptor.ServiceInvokerInterceptor$2.run( >> ServiceInvokerInterceptor.java:126) >> at org.apache.cxf.workqueue.SynchronousExecutor.execute(Synchro >> nousExecutor.java:37) >> at org.apache.cxf.interceptor.ServiceInvokerInterceptor.handleM >> essage(ServiceInvokerInterceptor.java:131) >> at org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(Phase >> InterceptorChain.java:307) >> at org.apache.cxf.transport.ChainInitiationObserver.onMessage(C >> hainInitiationObserver.java:121) >> at org.apache.cxf.transport.http.AbstractHTTPDestination.invoke >> (AbstractHTTPDestination.java:254) >> at org.apache.cxf.transport.servlet.ServletController.invokeDes >> tination(ServletController.java:234) >> at org.apache.cxf.transport.servlet.ServletController.invoke( >> ServletController.java:208) >> at org.apache.cxf.transport.servlet.ServletController.invoke( >> ServletController.java:160) >> at org.apache.cxf.transport.servlet.CXFNonSpringServlet.invoke( >> CXFNonSpringServlet.java:180) >> at org.apache.cxf.transport.servlet.AbstractHTTPServlet.handleR >> equest(AbstractHTTPServlet.java:298) >> at org.apache.cxf.transport.servlet.AbstractHTTPServlet.doPost( >> AbstractHTTPServlet.java:217) >> at javax.servlet.http.HttpServlet.service(HttpServlet.java:648) >> at org.apache.cxf.transport.servlet.AbstractHTTPServlet.service >> (AbstractHTTPServlet.java:273) >> at org.apache.catalina.core.ApplicationFilterChain.internalDoFi >> lter(ApplicationFilterChain.java:292) >> at org.apache.catalina.core.ApplicationFilterChain.doFilter(App >> licationFilterChain.java:207) >> at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilte >> r.java:52) >> at org.apache.catalina.core.ApplicationFilterChain.internalDoFi >> lter(ApplicationFilterChain.java:240) >> at org.apache.catalina.core.ApplicationFilterChain.doFilter(App >> licationFilterChain.java:207) >> at com.spotfire.server.security.SecurityFilter.doFilter(Securit >> yFilter.java:318) >> at com.spotfire.server.security.AbstractFilter.doFilter(Abstrac >> tFilter.java:125) >> at org.springframework.web.filter.DelegatingFilterProxy.invokeD >> elegate(DelegatingFilterProxy.java:346) >> at org.springframework.web.filter.DelegatingFilterProxy.doFilte >> r(DelegatingFilterProxy.java:262) >> at org.apache.catalina.core.ApplicationFilterChain.internalDoFi >> lter(ApplicationFilterChain.java:240) >> at org.apache.catalina.core.ApplicationFilterChain.doFilter(App >> licationFilterChain.java:207) >> at com.spotfire.server.security.CustomAuthFilterWrapper.doFilte >> r(CustomAuthFilterWrapper.java:82) >> at com.spotfire.server.security.AbstractFilter.doFilter(Abstrac >> tFilter.java:125) >> at org.springframework.web.filter.DelegatingFilterProxy.invokeD >> elegate(DelegatingFilterProxy.java:346) >> at org.springframework.web.filter.DelegatingFilterProxy.doFilte >> r(DelegatingFilterProxy.java:262) >> at org.apache.catalina.core.ApplicationFilterChain.internalDoFi >> lter(ApplicationFilterChain.java:240) >> at org.apache.catalina.core.ApplicationFilterChain.doFilter(App >> licationFilterChain.java:207) >> at com.spotfire.server.security.CsrfFilter.doFilter(CsrfFilter. >> java:79) >> at com.spotfire.server.security.AbstractFilter.doFilter(Abstrac >> tFilter.java:125) >> at org.springframework.web.filter.DelegatingFilterProxy.invokeD >> elegate(DelegatingFilterProxy.java:346) >> at org.springframework.web.filter.DelegatingFilterProxy.doFilte >> r(DelegatingFilterProxy.java:262) >> at org.apache.catalina.core.ApplicationFilterChain.internalDoFi >> lter(ApplicationFilterChain.java:240) >> at org.apache.catalina.core.ApplicationFilterChain.doFilter(App >> licationFilterChain.java:207) >> at com.spotfire.server.security.HttpMethodsFilter.doFilter(Http >> MethodsFilter.java:189) >> at com.spotfire.server.security.AbstractFilter.doFilter(Abstrac >> tFilter.java:125) >> at org.springframework.web.filter.DelegatingFilterProxy.invokeD >> elegate(DelegatingFilterProxy.java:346) >> at org.springframework.web.filter.DelegatingFilterProxy.doFilte >> r(DelegatingFilterProxy.java:262) >> at org.apache.catalina.core.ApplicationFilterChain.internalDoFi >> lter(ApplicationFilterChain.java:240) >> at org.apache.catalina.core.ApplicationFilterChain.doFilter(App >> licationFilterChain.java:207) >> at com.spotfire.server.security.headers.HeadersFilter.doFilter( >> HeadersFilter.java:192) >> at com.spotfire.server.security.AbstractFilter.doFilter(Abstrac >> tFilter.java:125) >> at org.springframework.web.filter.DelegatingFilterProxy.invokeD >> elegate(DelegatingFilterProxy.java:346) >> at org.springframework.web.filter.DelegatingFilterProxy.doFilte >> r(DelegatingFilterProxy.java:262) >> at org.apache.catalina.core.ApplicationFilterChain.internalDoFi >> lter(ApplicationFilterChain.java:240) >> at org.apache.catalina.core.ApplicationFilterChain.doFilter(App >> licationFilterChain.java:207) >> at com.spotfire.server.security.AccessLogFilter.doFilter(Access >> LogFilter.java:78) >> at com.spotfire.server.security.AbstractFilter.doFilter(Abstrac >> tFilter.java:125) >> at org.springframework.web.filter.DelegatingFilterProxy.invokeD >> elegate(DelegatingFilterProxy.java:346) >> at org.springframework.web.filter.DelegatingFilterProxy.doFilte >> r(DelegatingFilterProxy.java:262) >> at org.apache.catalina.core.ApplicationFilterChain.internalDoFi >> lter(ApplicationFilterChain.java:240) >> at org.apache.catalina.core.ApplicationFilterChain.doFilter(App >> licationFilterChain.java:207) >> at com.spotfire.server.security.RequestContextFilter.doFilter(R >> equestContextFilter.java:114) >> at com.spotfire.server.security.RequestContextFilter.doFilter(R >> equestContextFilter.java:80) >> at com.spotfire.server.security.AbstractFilter.doFilter(Abstrac >> tFilter.java:125) >> at org.springframework.web.filter.DelegatingFilterProxy.invokeD >> elegate(DelegatingFilterProxy.java:346) >> at org.springframework.web.filter.DelegatingFilterProxy.doFilte >> r(DelegatingFilterProxy.java:262) >> at org.apache.catalina.core.ApplicationFilterChain.internalDoFi >> lter(ApplicationFilterChain.java:240) >> at org.apache.catalina.core.ApplicationFilterChain.doFilter(App >> licationFilterChain.java:207) >> at org.apache.catalina.core.StandardWrapperValve.invoke(Standar >> dWrapperValve.java:212) >> at org.apache.catalina.core.StandardContextValve.invoke(Standar >> dContextValve.java:106) >> at org.apache.catalina.authenticator.AuthenticatorBase.invoke(A >> uthenticatorBase.java:502) >> at org.apache.catalina.core.StandardHostValve.invoke(StandardHo >> stValve.java:141) >> at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorRepo >> rtValve.java:79) >> at org.apache.catalina.core.StandardEngineValve.invoke(Standard >> EngineValve.java:88) >> at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAd >> apter.java:509) >> at org.apache.coyote.http11.AbstractHttp11Processor.process(Abs >> tractHttp11Processor.java:1104) >> at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler >> .process(AbstractProtocol.java:684) >> at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun >> (NioEndpoint.java:1520) >> at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.run( >> NioEndpoint.java:1476) >> at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPool >> Executor.java:1142) >> at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoo >> lExecutor.java:617) >> at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable. >> run(TaskThread.java:61) >> at java.lang.Thread.run(Thread.java:745) >> Caused by: com.spotfire.ws.im.IMException: Error retrieving metadata: >> org.apache.http.client.ClientProtocolException >> at com.spotfire.ws.im.ds.sql.JDBCDataSourceManager$MetaDataCach >> e.getMetadata(JDBCDataSourceManager.java:1852) >> at com.spotfire.ws.im.ds.sql.JDBCDataSourceManager.getMetadata( >> JDBCDataSourceManager.java:254) >> at com.spotfire.ws.api.element.ElementManagerService.listDataSo >> urceElements(ElementManagerService.java:393) >> ... 89 more >> Caused by: java.sql.SQLException: org.apache.http.client.ClientP >> rotocolException >> at org.apache.hive.jdbc.HiveDatabaseMetaData.getTables(HiveData >> baseMetaData.java:656) >> at com.spotfire.server.util.sql.WrappedDatabaseMetaData.getTabl >> es(WrappedDatabaseMetaData.java:410) >> at com.spotfire.ws.im.ds.sql.BasicJDBCMetadataProvider.getSchem >> as(BasicJDBCMetadataProvider.java:318) >> at com.spotfire.ws.im.ds.sql.BasicJDBCMetadataProvider.getMetad >> ata(BasicJDBCMetadataProvider.java:121) >> at com.spotfire.ws.im.ds.sql.JDBCDataSourceManager$MetaDataCach >> e.getMetadata(JDBCDataSourceManager.java:1842) >> ... 91 more >> Caused by: org.apache.thrift.transport.TTransportException: >> org.apache.http.client.ClientProtocolException >> at org.apache.thrift.transport.THttpClient.flushUsingHttpClient >> (THttpClient.java:297) >> at org.apache.thrift.transport.THttpClient.flush(THttpClient.ja >> va:313) >> at org.apache.thrift.TServiceClient.sendBase(TServiceClient. >> java:73) >> at org.apache.thrift.TServiceClient.sendBase(TServiceClient. >> java:62) >> at org.apache.hive.service.cli.thrift.TCLIService$Client.send_ >> GetTables(TCLIService.java:315) >> at org.apache.hive.service.cli.thrift.TCLIService$Client.GetTab >> les(TCLIService.java:307) >> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) >> at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAcce >> ssorImpl.java:62) >> at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMe >> thodAccessorImpl.java:43) >> at java.lang.reflect.Method.invoke(Method.java:498) >> at org.apache.hive.jdbc.HiveConnection$SynchronizedHandler. >> invoke(HiveConnection.java:1388) >> at com.sun.proxy.$Proxy146.GetTables(Unknown Source) >> at org.apache.hive.jdbc.HiveDatabaseMetaData.getTables(HiveData >> baseMetaData.java:654) >> ... 95 more >> Caused by: org.apache.http.client.ClientProtocolException >> at org.apache.http.impl.client.InternalHttpClient.doExecute(Int >> ernalHttpClient.java:186) >> at org.apache.http.impl.client.CloseableHttpClient.execute(Clos >> eableHttpClient.java:117) >> at org.apache.http.impl.client.CloseableHttpClient.execute(Clos >> eableHttpClient.java:55) >> at org.apache.thrift.transport.THttpClient.flushUsingHttpClient >> (THttpClient.java:251) >> ... 107 more >> Caused by: org.apache.http.HttpException: The Subject is not set >> at org.apache.hive.jdbc.HttpRequestInterceptorBase.process(Http >> RequestInterceptorBase.java:94) >> at org.apache.http.protocol.ImmutableHttpProcessor.process(Immu >> tableHttpProcessor.java:132) >> at org.apache.http.impl.execchain.ProtocolExec.execute( >> ProtocolExec.java:182) >> at org.apache.http.impl.execchain.RetryExec.execute(RetryExec. >> java:88) >> at org.apache.http.impl.execchain.RedirectExec.execute( >> RedirectExec.java:110) >> at org.apache.http.impl.execchain.ServiceUnavailableRetryExec.e >> xecute(ServiceUnavailableRetryExec.java:84) >> at org.apache.http.impl.client.InternalHttpClient.doExecute(Int >> ernalHttpClient.java:184) >> ... 110 more >> Caused by: org.apache.http.HttpException: The Subject is not set >> at org.apache.hive.jdbc.HttpKerberosRequestInterceptor. >> addHttpAuthHeader(HttpKerberosRequestInterceptor.java:73) >> at org.apache.hive.jdbc.HttpRequestInterceptorBase.process(Http >> RequestInterceptorBase.java:78) >> ... 116 more >> Caused by: java.lang.Exception: The Subject is not set >> at org.apache.hive.service.auth.HttpAuthUtils.getKerberosServic >> eTicket(HttpAuthUtils.java:118) >> at org.apache.hive.jdbc.HttpKerberosRequestInterceptor. >> addHttpAuthHeader(HttpKerberosRequestInterceptor.java:67) >> ... 117 more > > > >
