0

I am trying to connect to hive using DBVisulizer. And I am following the article mentioned below https://github.com/timveil/hive-jdbc-uber-jar#kerberized-setup

Following is my config file 

[libdefaults]
  renew_lifetime = 7d
  forwardable = true
  default_realm = dev.abc.com
  ticket_lifetime = 24h
  dns_lookup_realm = false
  dns_lookup_kdc = false
  default_ccache_name = /tmp/krb5cc_%{uid}
  #default_tgs_enctypes = aes des3-cbc-sha1 rc4 des-cbc-md5
  #default_tkt_enctypes = aes des3-cbc-sha1 rc4 des-cbc-md5


[logging]
  default = FILE:/var/log/krb5kdc.log
  admin_server = FILE:/var/log/kadmind.log
  kdc = FILE:/var/log/krb5kdc.log


[realms]
  dev.abc.com = {
    admin_server = wplc-dc1.dev.abc.com
    kdc = wplc-dc1.dev.abc.com
  }

I have put the path of this config file in DbVisalizer setting.

And I am using following url 

jdbc:hive2://d9lcwphd1m1.dev.abc.com:2181,d9lcwphd1m2.dev.abc.com:2181,d9lcwphd1d1.dev.abc.com:2181/;serviceDiscoveryMode=zooKeeper;zooKeeperNamespace=hiveserver2;principal=hive/_HOST@dev.abc.com

Error:

Java.sql.SQLException: Could not open client transport for any of the Server URI's in ZooKeeper: GSS initiate failed
    at org.apache.hive.jdbc.HiveConnection.openTransport(HiveConnection.java:228)
    at org.apache.hive.jdbc.HiveConnection.<init>(HiveConnection.java:166)
    at org.apache.hive.jdbc.HiveDriver.connect(HiveDriver.java:105)
    at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
    at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
    at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
    at java.base/java.lang.reflect.Method.invoke(Unknown Source)
    at com.onseven.dbvis.g.B.D.ᅣチ(Z:1548)
    at com.onseven.dbvis.g.B.F$A.call(Z:1369)
    at java.base/java.util.concurrent.FutureTask.run(Unknown Source)
    at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source)
    at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)
    at java.base/java.lang.Thread.run(Unknown Source)
Caused by: org.apache.thrift.transport.TTransportException: GSS initiate failed
    at org.apache.thrift.transport.TSaslTransport.sendAndThrowMessage(TSaslTransport.java:232)
    at org.apache.thrift.transport.TSaslTransport.open(TSaslTransport.java:316)
    at org.apache.thrift.transport.TSaslClientTransport.open(TSaslClientTransport.java:37)
    at org.apache.hadoop.hive.thrift.client.TUGIAssumingTransport$1.run(TUGIAssumingTransport.java:52)
    at org.apache.hadoop.hive.thrift.client.TUGIAssumingTransport$1.run(TUGIAssumingTransport.java:49)
    at java.base/java.security.AccessController.doPrivileged(Native Method)
    at java.base/javax.security.auth.Subject.doAs(Unknown Source)
    at org.apache.hadoop.security.UserGroupInformation.doAs(UserGroupInformation.java:1866)
    at org.apache.hadoop.hive.thrift.client.TUGIAssumingTransport.open(TUGIAssumingTransport.java:49)
    at org.apache.hive.jdbc.HiveConnection.openTransport(HiveConnection.java:204)

I think the problem is that domain of my machine is abc.com and not dev.abc.com

Output of klist

Credentials cache: API:1CFA7C7B-9BF9-41E6-B516-BC10C925E8E7
        Principal: gaurang.shah@abc.com

  Issued                Expires               Principal
Jun  8 19:10:28 2018  Jun  9 05:10:28 2018  krbtgt/abc.com@Cabc.com

Update:

if I provide both the realms in the config file I am getting parsing error.

config. 

abc.com = {
    admin_server = wpcp-dc1.abc.com
    kdc = wpcp-dc1.abc.com:88
    kdc = wpcp-dc2.abc.com:88
}
dev.abc.com = {
    admin_server = wplc-dc1.dev.abc.com
    kdc = wplc-dc1.dev.abc.com
  }

Error:

Long Message:
Can't get Kerberos realm

Details:
   Type: java.lang.IllegalArgumentException

Stack Trace:
KrbException: Illegal config content:  }
   at java.security.jgss/sun.security.krb5.Config.parseStanzaTable(Unknown Source)
   at java.security.jgss/sun.security.krb5.Config.<init>(Unknown Source)
   at java.security.jgss/sun.security.krb5.Config.getInstance(Unknown Source)
Gaurang Shah
  • 11,764
  • 9
  • 74
  • 137
  • My 2 cents: Kerberos auth to ZK is a nightmare. If you don't believe me, just read the GitBook _"Hadoop and Kerberos, the Madness beyond the Gate"_ by Steve Loughran. Try to hit directly a running HS2 instance, with the basic URL syntax, that will make Kerberos debugging way easier. – Samson Scharfrichter Jun 09 '18 at 19:15
  • If your user and the target service are not in the same Kerberos realm, then you have to define _both_ in `krb5.conf`; plus the rules that define how to "hop" from user realm to service realm (can be implicit i.e. go to the common ancestor realm -- define that one too! -- or explit via `[capath]` entries); plus the rules to attach host names or (sub)networks to realms. – Samson Scharfrichter Jun 09 '18 at 19:22
  • Cross-realm in more detail: see https://stackoverflow.com/questions/44312403/connect-to-kafka-on-unix-from-windows-with-kerberos >> also the part about _"you should enable Kerberos debug traces"_ might be helpful, because by default the JAAS library leaves you in the dark. – Samson Scharfrichter Jun 09 '18 at 19:31
  • @SamsonScharfrichter thanks for the comments, however I am not able to understand either thing. if i mentioned both the realms in the config file, I am getting parsing error. I have updated the question. – Gaurang Shah Jun 10 '18 at 02:41

0 Answers0