Connect Hive to secure hadoop installation using delegation tokens - not Kerberos

Fri, 31 Oct 2014 16:55:17 -0700 

Hi,

I am running an instance of Hive CLIService in a YARN container, in a secure 
Hadoop installation. I managed to connect this component to the Hive Metastore 
using a Hive delegation token given to my YARN container. Yet, when launching a 
query that runs a MapReduce job using CLIService.executeStatementAsync , and 
setting the following: 
UserGroupInformation.getCurrentUser().setAuthenticationMethod(SaslRpcServer.AuthMethod.TOKEN);
 
to make sure that Kerberos authentication is not used, the following exceptions 
are thrown:

java.lang.RuntimeException: java.io.IOException: Failed on local exception: 
java.io.IOException: org.apache.hadoop.security.AccessControlException: Client 
cannot authenticate via:[TOKEN, KERBEROS]; Host Details : local host is: 
"190.154.251.23.bc.googleusercontent.com/10.240.102.5"; destination host is: 
"9.34.148.146.bc.googleusercontent.com":8020; 
        at org.apache.hadoop.hive.ql.Context.getScratchDir(Context.java:216)
        at org.apache.hadoop.hive.ql.Context.getMRScratchDir(Context.java:257)
        at org.apache.hadoop.hive.ql.Context.getMRTmpFileURI(Context.java:315)
        at 
org.apache.hadoop.hive.ql.parse.SemanticAnalyzer.getMetaData(SemanticAnalyzer.java:1268)
        at 
org.apache.hadoop.hive.ql.parse.SemanticAnalyzer.getMetaData(SemanticAnalyzer.java:1053)
        at 
org.apache.hadoop.hive.ql.parse.SemanticAnalyzer.analyzeInternal(SemanticAnalyzer.java:8342)
        at 
org.apache.hadoop.hive.ql.parse.BaseSemanticAnalyzer.analyze(BaseSemanticAnalyzer.java:284)
        at org.apache.hadoop.hive.ql.Driver.compile(Driver.java:441)
        at org.apache.hadoop.hive.ql.Driver.compile(Driver.java:342)
        at org.apache.hadoop.hive.ql.Driver.runInternal(Driver.java:1000)
        at org.apache.hadoop.hive.ql.Driver.run(Driver.java:911)
        at 
org.apache.hive.service.cli.operation.SQLOperation.runInternal(SQLOperation.java:102)
        at 
org.apache.hive.service.cli.operation.SQLOperation.access$000(SQLOperation.java:62)
        at 
org.apache.hive.service.cli.operation.SQLOperation$1.run(SQLOperation.java:153)
        at 
java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:439)
        at java.util.concurrent.FutureTask$Sync.innerRun(FutureTask.java:303)
        at java.util.concurrent.FutureTask.run(FutureTask.java:138)
        at 
java.util.concurrent.ThreadPoolExecutor$Worker.runTask(ThreadPoolExecutor.java:895)
        at 
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:918)
        at java.lang.Thread.run(Thread.java:662)
Caused by: java.io.IOException: Failed on local exception: java.io.IOException: 
org.apache.hadoop.security.AccessControlException: Client cannot authenticate 
via:[TOKEN, KERBEROS]; Host Details : local host is: 
"190.154.251.23.bc.googleusercontent.com/10.240.102.5"; destination host is: 
"9.34.148.146.bc.googleusercontent.com":8020; 
        at org.apache.hadoop.net.NetUtils.wrapException(NetUtils.java:764)
        at org.apache.hadoop.ipc.Client.call(Client.java:1351)
        at org.apache.hadoop.ipc.Client.call(Client.java:1300)
        at 
org.apache.hadoop.ipc.ProtobufRpcEngine$Invoker.invoke(ProtobufRpcEngine.java:206)
        at com.sun.proxy.$Proxy9.mkdirs(Unknown Source)
        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
        at 
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
        at 
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
        at java.lang.reflect.Method.invoke(Method.java:597)
        at 
org.apache.hadoop.io.retry.RetryInvocationHandler.invokeMethod(RetryInvocationHandler.java:186)
        at 
org.apache.hadoop.io.retry.RetryInvocationHandler.invoke(RetryInvocationHandler.java:102)
        at com.sun.proxy.$Proxy9.mkdirs(Unknown Source)
        at 
org.apache.hadoop.hdfs.protocolPB.ClientNamenodeProtocolTranslatorPB.mkdirs(ClientNamenodeProtocolTranslatorPB.java:467)
        at org.apache.hadoop.hdfs.DFSClient.primitiveMkdir(DFSClient.java:2394)
        at org.apache.hadoop.hdfs.DFSClient.mkdirs(DFSClient.java:2365)
        at 
org.apache.hadoop.hdfs.DistributedFileSystem$16.doCall(DistributedFileSystem.java:817)
        at 
org.apache.hadoop.hdfs.DistributedFileSystem$16.doCall(DistributedFileSystem.java:813)
        at 
org.apache.hadoop.fs.FileSystemLinkResolver.resolve(FileSystemLinkResolver.java:81)
        at 
org.apache.hadoop.hdfs.DistributedFileSystem.mkdirsInternal(DistributedFileSystem.java:813)
        at 
org.apache.hadoop.hdfs.DistributedFileSystem.mkdirs(DistributedFileSystem.java:806)
        at org.apache.hadoop.fs.FileSystem.mkdirs(FileSystem.java:1933)
        at org.apache.hadoop.hive.ql.Context.getScratchDir(Context.java:205)
        ... 19 more
Caused by: java.io.IOException: 
org.apache.hadoop.security.AccessControlException: Client cannot authenticate 
via:[TOKEN, KERBEROS]
        at org.apache.hadoop.ipc.Client$Connection$1.run(Client.java:620)
        at java.security.AccessController.doPrivileged(Native Method)
        at javax.security.auth.Subject.doAs(Subject.java:396)
        at 
org.apache.hadoop.security.UserGroupInformation.doAs(UserGroupInformation.java:1491)
        at 
org.apache.hadoop.ipc.Client$Connection.handleSaslConnectionFailure(Client.java:583)
        at 
org.apache.hadoop.ipc.Client$Connection.setupIOstreams(Client.java:667)
        at org.apache.hadoop.ipc.Client$Connection.access$2600(Client.java:314)
        at org.apache.hadoop.ipc.Client.getConnection(Client.java:1399)
        at org.apache.hadoop.ipc.Client.call(Client.java:1318)
        ... 39 more
Caused by: org.apache.hadoop.security.AccessControlException: Client cannot 
authenticate via:[TOKEN, KERBEROS]
        at 
org.apache.hadoop.security.SaslRpcClient.selectSaslClient(SaslRpcClient.java:170)
        at 
org.apache.hadoop.security.SaslRpcClient.saslConnect(SaslRpcClient.java:387)
        at 
org.apache.hadoop.ipc.Client$Connection.setupSaslConnection(Client.java:494)
        at org.apache.hadoop.ipc.Client$Connection.access$1700(Client.java:314)
        at org.apache.hadoop.ipc.Client$Connection$2.run(Client.java:659)
        at org.apache.hadoop.ipc.Client$Connection$2.run(Client.java:655)
        at java.security.AccessController.doPrivileged(Native Method)
        at javax.security.auth.Subject.doAs(Subject.java:396)
        at 
org.apache.hadoop.security.UserGroupInformation.doAs(UserGroupInformation.java:1491)
        at 
org.apache.hadoop.ipc.Client$Connection.setupIOstreams(Client.java:654)
        ... 42 more

Connecting to HDFS using a delegation token seems impossible. 
Note that HDFS delegation token is available to my container: this call 
UserGroupInformation.getCurrentUser().getTokens() returns the following tokens:
HIVE_DELEGATION_TOKEN
HBASE_AUTH_TOKEN
HDFS_DELEGATION_TOKEN
RM_DELEGATION_TOKEN

I have been trying to debug these calls and see if a configuration had to be 
set, but to no avail.

Has anyone tried to used delegations tokens in a Hive server before? 

Thank you,
Julien

Reply via email to