You were right ! Thanks a lot, I didn't checked this property as I thought Ambari set it to true when enabling Kerberos. Thanks again,
Loïc Loïc CHANEL Engineering student at TELECOM Nancy Trainee at Worldline - Villeurbanne 2015-09-09 19:53 GMT+02:00 Takahiko Saito <tysa...@gmail.com>: > Hi Loic, > > One possible solution is if hive.server2.enable.doAs is set false in > hive-site.xml, you can change it to true and restart HiveServer2. And then > try to connect via beeline. > > Cheers, > > On Wed, Sep 9, 2015 at 8:02 AM, Loïc Chanel <loic.cha...@telecomnancy.net> > wrote: > >> Hi guys ! >> >> Sorry to interrupt but I need to go back to the first reason of this >> thread : I can't connect to hive anymore. >> I upgraded my cluster to HDP 2.3, and I saw that the way to connect to >> Hive via Beeline & Kerberos hasn't changed, but the exact command that >> worked before doesn't work anymore. >> Instead of connecting, Beeline returns me : >> Error: Failed to open new session: java.lang.RuntimeException: >> java.lang.RuntimeException: >> org.apache.hadoop.ipc.RemoteException(org.apache.hadoop.security.authorize.AuthorizationException): >> User: hive/hiveserverh...@example.com is not allowed to impersonate >> testUser (state=,code=0) >> >> The logs are not more explicit, as there is an exception with the same >> conclusion : Caused by: >> org.apache.hadoop.ipc.RemoteException(org.apache.hadoop.security.authorize.AuthorizationException): >> User: hive/hiveserverh...@example.com is not allowed to impersonate >> testUser >> >> Do any of you have an idea about where this could come from ? >> >> >> >> Loïc CHANEL >> Engineering student at TELECOM Nancy >> Trainee at Worldline - Villeurbanne >> >> 2015-08-31 13:51 GMT+02:00 Lars Francke <lars.fran...@gmail.com>: >> >>> That said, +1 to adding a check that we are using kerberos and skipping >>>> the prompt if we are. I think we probably don't even need to parse the URL >>>> to detect that. Just checking on the auth type property( >>>> hive.server2.authentication) is KERBEROS or not should do the trick. >>>> >>> >>> I have not looked into this at all but Beeline being a generic client >>> does it even use that property? I mean I could connect to any server, >>> right? Will try to take a look. >>> >>> >>>> [1] >>>> https://github.com/apache/hive/blob/3991dba30c5068cac296f32e24e97cf87efa266c/jdbc/src/java/org/apache/hive/jdbc/HiveConnection.java#L450-L455 >>>> >>>> On Wed, Aug 26, 2015 at 5:40 PM, Lars Francke <lars.fran...@gmail.com> >>>> wrote: >>>> >>>>> >>>>> On Wed, Aug 26, 2015 at 4:53 PM, kulkarni.swar...@gmail.com < >>>>> kulkarni.swar...@gmail.com> wrote: >>>>> >>>>>> > my understanding is that after using kerberos authentication, you >>>>>> probably don’t need the password. >>>>>> >>>>>> That is not an accurate statement. Beeline is a JDBC client as >>>>>> compared to Hive CLI which is a thrift client to talk to HIveServer2. So >>>>>> it >>>>>> would need the password to establish that JDBC connection. If you look at >>>>>> the beeline console code[1], it actually first tries to read the >>>>>> "javax.jdo.option.ConnectionUserName" and >>>>>> "javax.jdo.option.ConnectionPassword" property which is the same username >>>>>> and password that you have setup your backing metastore DB with. If it is >>>>>> MySWL, it would be the password you set MySQL with or empty if you >>>>>> haven't(or are using derby). Kerberos is merely a tool for you to >>>>>> authenticate yourself so that you cannot impersonate yourself as someone >>>>>> else. >>>>>> >>>>> >>>>> I don't think what you're saying is accurate. >>>>> >>>>> 1) Hive CLI does not talk to HiveServer2 >>>>> >>>>> 2) Beeline talks to HiveServer2 and needs some way to authenticate >>>>> itself depending on the configuration of HS2. >>>>> >>>>> HS2 can be configured to authenticate in one of these ways if I'm up >>>>> to date: >>>>> >>>>> * NOSASL: no password needed >>>>> * KERBEROS (SASL): no password needed >>>>> * NONE (SASL) using the AnonymousAuthenticationProviderImpl: no >>>>> password needed >>>>> * LDAP (SASL) using the LdapAuthenticationProviderImpl: username and >>>>> password required >>>>> * PAM (SASL) using the PamAuthenticationProviderImpl: username and >>>>> password required >>>>> * CUSTOM (SASL) using the CustomAuthenticationProviderImpl: username >>>>> and password required >>>>> >>>>> By tar the most common configurations are NONE (default I think) and >>>>> KERBEROS. Both don't need a username and password provided so it does not >>>>> make sense to ask for one every time. >>>>> >>>>> The only good reason I can think of to ask for a password is so that >>>>> it doesn't appear in a shell/beeline history and/or on screen. I'm sure >>>>> there are others? >>>>> The username can be safely provided in the URL if needed so I don't >>>>> think asking for that every time is reasonable either. >>>>> >>>>> What would be a good way to deal with this? I'm tempted to just rip >>>>> out those prompts. The other option would be to parse the connection URL >>>>> and check whether it's the Kerberos mode. >>>>> >>>>>> >>>>>> [1] >>>>>> https://github.com/apache/hive/blob/3991dba30c5068cac296f32e24e97cf87efa266c/beeline/src/java/org/apache/hive/beeline/Commands.java#L1117-L1125 >>>>>> >>>>>> On Wed, Aug 26, 2015 at 10:13 AM, Loïc Chanel < >>>>>> loic.cha...@telecomnancy.net> wrote: >>>>>> >>>>>>> Here it is : https://issues.apache.org/jira/browse/HIVE-11653 >>>>>>> >>>>>>> Loïc CHANEL >>>>>>> Engineering student at TELECOM Nancy >>>>>>> Trainee at Worldline - Villeurbanne >>>>>>> >>>>>>> 2015-08-25 23:10 GMT+02:00 Sergey Shelukhin <ser...@hortonworks.com> >>>>>>> : >>>>>>> >>>>>>>> Sure! >>>>>>>> >>>>>>>> From: Loïc Chanel <loic.cha...@telecomnancy.net> >>>>>>>> Reply-To: "user@hive.apache.org" <user@hive.apache.org> >>>>>>>> Date: Tuesday, August 25, 2015 at 00:23 >>>>>>>> >>>>>>>> To: "user@hive.apache.org" <user@hive.apache.org> >>>>>>>> Subject: Re: HiveServer2 & Kerberos >>>>>>>> >>>>>>>> It is the case. >>>>>>>> Would you like me to fill a JIRA about it ? >>>>>>>> >>>>>>>> Loïc CHANEL >>>>>>>> Engineering student at TELECOM Nancy >>>>>>>> Trainee at Worldline - Villeurbanne >>>>>>>> >>>>>>>> 2015-08-24 19:24 GMT+02:00 Sergey Shelukhin <ser...@hortonworks.com >>>>>>>> >: >>>>>>>> >>>>>>>>> If that is the case it sounds like a bug… >>>>>>>>> >>>>>>>>> From: Jary Du <jary...@gmail.com> >>>>>>>>> Reply-To: "user@hive.apache.org" <user@hive.apache.org> >>>>>>>>> Date: Thursday, August 20, 2015 at 08:56 >>>>>>>>> To: "user@hive.apache.org" <user@hive.apache.org> >>>>>>>>> Subject: Re: HiveServer2 & Kerberos >>>>>>>>> >>>>>>>>> My understanding is that it will always ask you user/password even >>>>>>>>> though you don’t need them. It is just the way how hive is setup. >>>>>>>>> >>>>>>>>> On Aug 20, 2015, at 8:28 AM, Loïc Chanel < >>>>>>>>> loic.cha...@telecomnancy.net> wrote: >>>>>>>>> >>>>>>>>> !connect jdbc:hive2:// >>>>>>>>> 192.168.6.210:10000/db;principal=hive/hiveh...@westeros.wl >>>>>>>>> org.apache.hive.jdbc.HiveDriver >>>>>>>>> scan complete in 13ms >>>>>>>>> Connecting to jdbc:hive2:// >>>>>>>>> 192.168.6.210:10000/db;principal=hive/hiveh...@westeros.wl >>>>>>>>> Enter password for jdbc:hive2:// >>>>>>>>> 192.168.6.210:10000/chaneldb;principal=hive/hiveh...@westeros.wl: >>>>>>>>> >>>>>>>>> And if I press enter everything works perfectly, because I am >>>>>>>>> using Kerberos authentication, that's actually why I was asking what >>>>>>>>> is >>>>>>>>> Hive asking for, because in my case, it seems that I shouldn't be >>>>>>>>> asked for >>>>>>>>> a password when connecting. >>>>>>>>> >>>>>>>>> Loïc CHANEL >>>>>>>>> Engineering student at TELECOM Nancy >>>>>>>>> Trainee at Worldline - Villeurbanne >>>>>>>>> >>>>>>>>> 2015-08-20 17:06 GMT+02:00 Jary Du <jary...@gmail.com>: >>>>>>>>> >>>>>>>>>> How does Beeline ask you? What happens if you just press enter? >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> On Aug 20, 2015, at 12:15 AM, Loïc Chanel < >>>>>>>>>> loic.cha...@telecomnancy.net> wrote: >>>>>>>>>> >>>>>>>>>> Indeed, I don't need the password, but why is Beeline asking me >>>>>>>>>> for one ? To what does it correspond ? >>>>>>>>>> >>>>>>>>>> Thanks again, >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> Loïc >>>>>>>>>> >>>>>>>>>> Loïc CHANEL >>>>>>>>>> Engineering student at TELECOM Nancy >>>>>>>>>> Trainee at Worldline - Villeurbanne >>>>>>>>>> >>>>>>>>>> 2015-08-19 18:22 GMT+02:00 Jary Du <jary...@gmail.com>: >>>>>>>>>> >>>>>>>>>>> Correct me if I am wrong, my understanding is that after using >>>>>>>>>>> kerberos authentication, you probably don’t need the password. >>>>>>>>>>> >>>>>>>>>>> Hope it helps >>>>>>>>>>> >>>>>>>>>>> Thanks, >>>>>>>>>>> Jary >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> On Aug 19, 2015, at 9:09 AM, Loïc Chanel < >>>>>>>>>>> loic.cha...@telecomnancy.net> wrote: >>>>>>>>>>> >>>>>>>>>>> By the way, thanks a lot for your help, because your solution >>>>>>>>>>> works, but I'm still interested in knowing what is the password I >>>>>>>>>>> did not >>>>>>>>>>> enter. >>>>>>>>>>> >>>>>>>>>>> Thanks again, >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> Loïc >>>>>>>>>>> >>>>>>>>>>> Loïc CHANEL >>>>>>>>>>> Engineering student at TELECOM Nancy >>>>>>>>>>> Trainee at Worldline - Villeurbanne >>>>>>>>>>> >>>>>>>>>>> 2015-08-19 18:07 GMT+02:00 Loïc Chanel < >>>>>>>>>>> loic.cha...@telecomnancy.net>: >>>>>>>>>>> >>>>>>>>>>>> All right, but then, what is the password hive asks for ? >>>>>>>>>>>> Hive's one ? How do I know its value ? >>>>>>>>>>>> >>>>>>>>>>>> Loïc CHANEL >>>>>>>>>>>> Engineering student at TELECOM Nancy >>>>>>>>>>>> Trainee at Worldline - Villeurbanne >>>>>>>>>>>> >>>>>>>>>>>> 2015-08-19 17:51 GMT+02:00 Jary Du <jary...@gmail.com>: >>>>>>>>>>>> >>>>>>>>>>>>> For Beeline connection string, it should be "!connect >>>>>>>>>>>>> jdbc:hive2://<host>:<port>/<db>;principal=<Server_Principal_of_HiveServer2>”. >>>>>>>>>>>>> Please >>>>>>>>>>>>> make sure it is the hive’s principal, not the user’s. And when >>>>>>>>>>>>> you kinit, >>>>>>>>>>>>> it should be kinit user’s keytab, not the hive’s keytab. >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> On Aug 19, 2015, at 8:46 AM, Loïc Chanel < >>>>>>>>>>>>> loic.cha...@telecomnancy.net> wrote: >>>>>>>>>>>>> >>>>>>>>>>>>> Yeah, I forgot to mention it, but each time I did a kinit >>>>>>>>>>>>> user/hive before launching beeline, as I read somewhere that >>>>>>>>>>>>> Beeline does >>>>>>>>>>>>> not handle Kerberos connection. >>>>>>>>>>>>> >>>>>>>>>>>>> So, as I can make klist before launching beeline and having a >>>>>>>>>>>>> good result, the problem does not come from this. Thanks a lot >>>>>>>>>>>>> for your >>>>>>>>>>>>> response though. >>>>>>>>>>>>> Do you have another idea ? >>>>>>>>>>>>> >>>>>>>>>>>>> Loïc CHANEL >>>>>>>>>>>>> Engineering student at TELECOM Nancy >>>>>>>>>>>>> Trainee at Worldline - Villeurbanne >>>>>>>>>>>>> >>>>>>>>>>>>> 2015-08-19 17:42 GMT+02:00 Jary Du <jary...@gmail.com>: >>>>>>>>>>>>> >>>>>>>>>>>>>> "The Beeline client must have a valid Kerberos ticket in the >>>>>>>>>>>>>> ticket cache before attempting to connect." ( >>>>>>>>>>>>>> http://docs.hortonworks.com/HDPDocuments/HDP2/HDP-2.1.3/bk_dataintegration/content/ch_using-hive-clients-examples.html >>>>>>>>>>>>>> ) >>>>>>>>>>>>>> >>>>>>>>>>>>>> So you need kinit first to have the valid Kerberos ticket int >>>>>>>>>>>>>> the ticket cache before using beeline to connect to HS2. >>>>>>>>>>>>>> >>>>>>>>>>>>>> Jary >>>>>>>>>>>>>> >>>>>>>>>>>>>> On Aug 19, 2015, at 8:36 AM, Loïc Chanel < >>>>>>>>>>>>>> loic.cha...@telecomnancy.net> wrote: >>>>>>>>>>>>>> >>>>>>>>>>>>>> Hi again, >>>>>>>>>>>>>> >>>>>>>>>>>>>> As I searched another way to make some requests with Kerberos >>>>>>>>>>>>>> enabled for security on HiveServer, I found that this request >>>>>>>>>>>>>> should do the >>>>>>>>>>>>>> same : >>>>>>>>>>>>>> !connect jdbc:hive2:// >>>>>>>>>>>>>> 192.168.6.210:10000/default;principal=user/h...@westeros.wl >>>>>>>>>>>>>> org.apache.hive.jdbc.HiveDriver >>>>>>>>>>>>>> But now I've got another error : >>>>>>>>>>>>>> Error: Could not open client transport with JDBC Uri: >>>>>>>>>>>>>> jdbc:hive2:// >>>>>>>>>>>>>> 192.168.6.210:10000/default;principal=user/h...@westeros.wl: >>>>>>>>>>>>>> Peer indicated failure: GSS initiate failed (state=08S01,code=0) >>>>>>>>>>>>>> >>>>>>>>>>>>>> As I saw that it was maybe a simple Kerberos ticket related >>>>>>>>>>>>>> problem, I tried to re-generate Kerberos keytabs, and to ensure >>>>>>>>>>>>>> that Hive >>>>>>>>>>>>>> has the path to access to its keytab, but nothing changed. >>>>>>>>>>>>>> >>>>>>>>>>>>>> Does anyone has an idea about how to solve this issue ? >>>>>>>>>>>>>> >>>>>>>>>>>>>> Thanks in advance for your help :) >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> Loïc >>>>>>>>>>>>>> >>>>>>>>>>>>>> Loïc CHANEL >>>>>>>>>>>>>> Engineering student at TELECOM Nancy >>>>>>>>>>>>>> Trainee at Worldline - Villeurbanne >>>>>>>>>>>>>> >>>>>>>>>>>>>> 2015-08-19 12:01 GMT+02:00 Loïc Chanel < >>>>>>>>>>>>>> loic.cha...@telecomnancy.net>: >>>>>>>>>>>>>> >>>>>>>>>>>>>>> Hi all, >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> I have a little issue with HiveServer2 since I have enabled >>>>>>>>>>>>>>> Kerberos. I'm unable to connect to the service via Beeline. >>>>>>>>>>>>>>> When doing >>>>>>>>>>>>>>> !connect jdbc:hive2://192.168.6.210:10000 hive hive >>>>>>>>>>>>>>> org.apache.hive.jdbc.HiveDriver >>>>>>>>>>>>>>> I keep receiving the same error : >>>>>>>>>>>>>>> Error: Could not open client transport with JDBC Uri: >>>>>>>>>>>>>>> jdbc:hive2://192.168.6.210:10000: Peer indicated failure: >>>>>>>>>>>>>>> Unsupported mechanism type PLAIN (state=08S01,code=0) >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> Does anyone had the same problem ? Or know how to solve it ? >>>>>>>>>>>>>>> Thanks in advance, >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> Loïc >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> Loïc CHANEL >>>>>>>>>>>>>>> Engineering student at TELECOM Nancy >>>>>>>>>>>>>>> Trainee at Worldline - Villeurbanne >>>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>> >>>>>>> >>>>>> >>>>>> >>>>>> -- >>>>>> Swarnim >>>>>> >>>>> >>>>> >>>> >>>> >>>> -- >>>> Swarnim >>>> >>> >>> >> > > > -- > Takahiko Saito >
