[
https://issues.apache.org/jira/browse/HIVE-21239?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16765080#comment-16765080
]
Zoltan Chovan commented on HIVE-21239:
--------------------------------------
*Beeline output when using the example:*
{noformat}
Error: Could not open client transport with JDBC Uri:
jdbc:hive2://cdh-m-a.cluster.local:10000/default;ssl=true: Peer indicated
failure: PLAIN auth failed: Error validating LDAP user
(state=08S01,code=0){noformat}
*HS2 logs from the same time:*
{noformat}
2019-02-11 15:26:06,339 WARN org.apache.hadoop.hive.conf.HiveConf:
[HiveServer2-Handler-Pool: Thread-48]: HiveConf of name
hive.server2.idle.session.timeout_check_operation does not exist
2019-02-11 15:26:06,339 WARN org.apache.hadoop.hive.conf.HiveConf:
[HiveServer2-Handler-Pool: Thread-48]: HiveConf of name
hive.entity.capture.input.URI does not exist
2019-02-11 15:26:06,413 ERROR org.apache.thrift.transport.TSaslTransport:
[HiveServer2-Handler-Pool: Thread-48]: SASL negotiation failure
javax.security.sasl.SaslException: PLAIN auth failed: Error validating LDAP
user [Caused by javax.security.sasl.AuthenticationException: Error validating
LDAP user [Caused by javax.naming.AuthenticationException: [LDAP: error code 49
- 80090308: LdapErr: DSID-0C09042A, comment: AcceptSecurityContext error, data
52e, v3839]]]
at
org.apache.hadoop.security.SaslPlainServer.evaluateResponse(SaslPlainServer.java:108)
at
org.apache.thrift.transport.TSaslTransport$SaslParticipant.evaluateChallengeOrResponse(TSaslTransport.java:539)
at org.apache.thrift.transport.TSaslTransport.open(TSaslTransport.java:283)
at
org.apache.thrift.transport.TSaslServerTransport.open(TSaslServerTransport.java:41)
at
org.apache.thrift.transport.TSaslServerTransport$Factory.getTransport(TSaslServerTransport.java:216)
at
org.apache.hadoop.hive.thrift.HadoopThriftAuthBridge$Server$TUGIAssumingTransportFactory$1.run(HadoopThriftAuthBridge.java:794)
at
org.apache.hadoop.hive.thrift.HadoopThriftAuthBridge$Server$TUGIAssumingTransportFactory$1.run(HadoopThriftAuthBridge.java:791)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.Subject.doAs(Subject.java:360)
at
org.apache.hadoop.security.UserGroupInformation.doAs(UserGroupInformation.java:1904)
at
org.apache.hadoop.hive.thrift.HadoopThriftAuthBridge$Server$TUGIAssumingTransportFactory.getTransport(HadoopThriftAuthBridge.java:791)
at
org.apache.thrift.server.TThreadPoolServer$WorkerProcess.run(TThreadPoolServer.java:269)
at
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
at
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
at java.lang.Thread.run(Thread.java:748)
Caused by: javax.security.sasl.AuthenticationException: Error validating LDAP
user [Caused by javax.naming.AuthenticationException: [LDAP: error code 49 -
80090308: LdapErr: DSID-0C09042A, comment: AcceptSecurityContext error, data
52e, v3839]]
at
org.apache.hive.service.auth.ldap.LdapSearchFactory.getInstance(LdapSearchFactory.java:48)
at
org.apache.hive.service.auth.LdapAuthenticationProviderImpl.createDirSearch(LdapAuthenticationProviderImpl.java:92)
at
org.apache.hive.service.auth.LdapAuthenticationProviderImpl.Authenticate(LdapAuthenticationProviderImpl.java:72)
at
org.apache.hive.service.auth.PlainSaslHelper$PlainServerCallbackHandler.handle(PlainSaslHelper.java:106)
at
org.apache.hadoop.security.SaslPlainServer.evaluateResponse(SaslPlainServer.java:103)
... 14 more
Caused by: javax.naming.AuthenticationException: [LDAP: error code 49 -
80090308: LdapErr: DSID-0C09042A, comment: AcceptSecurityContext error, data
52e, v3839]
at com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:3154)
at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:3100)
at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2886)
at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2800)
at com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:319)
at com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:192)
at com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(LdapCtxFactory.java:210)
at com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(LdapCtxFactory.java:153)
at com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactory.java:83)
at javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:684)
at javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:313)
at javax.naming.InitialContext.init(InitialContext.java:244)
at javax.naming.InitialContext.<init>(InitialContext.java:216)
at javax.naming.directory.InitialDirContext.<init>(InitialDirContext.java:101)
at
org.apache.hive.service.auth.ldap.LdapSearchFactory.createDirContext(LdapSearchFactory.java:62)
at
org.apache.hive.service.auth.ldap.LdapSearchFactory.getInstance(LdapSearchFactory.java:44)
... 18 more
2019-02-11 15:26:06,413 ERROR org.apache.thrift.server.TThreadPoolServer:
[HiveServer2-Handler-Pool: Thread-48]: Error occurred during processing of
message.
java.lang.RuntimeException: org.apache.thrift.transport.TTransportException:
PLAIN auth failed: Error validating LDAP user
at
org.apache.thrift.transport.TSaslServerTransport$Factory.getTransport(TSaslServerTransport.java:219)
at
org.apache.hadoop.hive.thrift.HadoopThriftAuthBridge$Server$TUGIAssumingTransportFactory$1.run(HadoopThriftAuthBridge.java:794)
at
org.apache.hadoop.hive.thrift.HadoopThriftAuthBridge$Server$TUGIAssumingTransportFactory$1.run(HadoopThriftAuthBridge.java:791)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.Subject.doAs(Subject.java:360)
at
org.apache.hadoop.security.UserGroupInformation.doAs(UserGroupInformation.java:1904)
at
org.apache.hadoop.hive.thrift.HadoopThriftAuthBridge$Server$TUGIAssumingTransportFactory.getTransport(HadoopThriftAuthBridge.java:791)
at
org.apache.thrift.server.TThreadPoolServer$WorkerProcess.run(TThreadPoolServer.java:269)
at
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
at
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
at java.lang.Thread.run(Thread.java:748)
Caused by: org.apache.thrift.transport.TTransportException: PLAIN auth failed:
Error validating LDAP user
at
org.apache.thrift.transport.TSaslTransport.sendAndThrowMessage(TSaslTransport.java:232)
at org.apache.thrift.transport.TSaslTransport.open(TSaslTransport.java:316)
at
org.apache.thrift.transport.TSaslServerTransport.open(TSaslServerTransport.java:41)
at
org.apache.thrift.transport.TSaslServerTransport$Factory.getTransport(TSaslServerTransport.java:216)
... 10 more{noformat}
I've only found two lines where the username is being parsed:
[https://github.com/apache/hive/blob/master/beeline/src/java/org/apache/hive/beeline/BeeLine.java#L876]
[https://github.com/apache/hive/blob/master/beeline/src/java/org/apache/hive/beeline/BeeLine.java#L898]
Same for the password:
[https://github.com/apache/hive/blob/master/beeline/src/java/org/apache/hive/beeline/BeeLine.java#L879]
[https://github.com/apache/hive/blob/master/beeline/src/java/org/apache/hive/beeline/BeeLine.java#L882]
[https://github.com/apache/hive/blob/master/beeline/src/java/org/apache/hive/beeline/BeeLine.java#L901]
None of these parse the username/pw from the args[] but from the command line
options.
> Beeline help LDAP connection example incorrect
> ----------------------------------------------
>
> Key: HIVE-21239
> URL: https://issues.apache.org/jira/browse/HIVE-21239
> Project: Hive
> Issue Type: Bug
> Environment: This was tested on a test environment with SSL and LDAP
> authentication enabled, and seems to be reproducible on any environment with
> LDAP authentication available in HiveServer2.
> Reporter: Zsolt Herczeg
> Assignee: Zoltan Chovan
> Priority: Major
> Labels: newbie
>
> There's the following connection example string in the beeline -h command
> output:
>
> {code:java}
> 5. Connect using LDAP authentication
> $ beeline -u jdbc:hive2://hs2.local:10013/default <ldap-username>
> <ldap-password>
> {code}
> When a user attempts to connect like above, it'll fail with LDAP
> authentication failure. This is because username and passwords are not picked
> up in the shown form. A working example would be:
> {code:java}
> $ beeline -n <ldap-username> -p <ldap-password> -u
> jdbc:hive2://hs2.local:10013/default
> {code}
>
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
