Hi Wenxing, We recently had the same GSS Tgt issue when we moved to a Kerberized cluster. The solution that worked for us was "Create a file to define Java krb5login and name it as jaas.conf or jaas.java". Jaas authentication makes Java applications independent of underlying authentication technology.
Please refer the below link from Oracle (or search for "How to add jaas configuration" in Google to see the 1st link in case the below link does not work) for your application. http://docs.oracle.com/javase/7/docs/technotes/guides/security/jgss/tutorials/LoginConfigFile.html Thanks, Shakti Singh Shekhawat On Wed, Jul 26, 2017 at 10:42 PM wenxing zheng <wenxing.zh...@gmail.com> wrote: > Dear all, > > We have a Hive in 2.1.1 and a web application running against the Hive > server. Before enabling the Kerberos, everything is OK. But after enabling > the Kerberos, it always failed to do the authentication. > > - web application runs with: Jetty, hive client version: 1.2.1 and JDK > 1.7 > - Hive runs with JDK 1.8 > - but both JDKs are running with JCE jars. > > > Followings are the errors: > >> >> 2017-07-27 10:29:16,622 INFO hive.metastore:Trying to connect to >> metastore with URI thrift://hdp-cli-01.dataservice.net:9083 >> 2017-07-27 10:29:16,793 WARN >> org.apache.hadoop.util.NativeCodeLoader:Unable to load native-hadoop >> library for your platform... using builtin-java classes where applicable >> 2017-07-27 10:29:16,873 ERROR >> org.apache.thrift.transport.TSaslTransport:SASL negotiation failure >> javax.security.sasl.SaslException: GSS initiate failed [Caused by >> GSSException: No valid credentials provided (Mechanism level: Failed to >> find any Kerberos tgt)] >> at >> com.sun.security.sasl.gsskerb.GssKrb5Client.evaluateChallenge(GssKrb5Client.java:212) >> at >> org.apache.thrift.transport.TSaslClientTransport.handleSaslStartMessage(TSaslClientTransport.java:94) >> at >> org.apache.thrift.transport.TSaslTransport.open(TSaslTransport.java:271) >> at >> org.apache.thrift.transport.TSaslClientTransport.open(TSaslClientTransport.java:37) >> at >> org.apache.hadoop.hive.thrift.client.TUGIAssumingTransport$1.run(TUGIAssumingTransport.java:52) >> at >> org.apache.hadoop.hive.thrift.client.TUGIAssumingTransport$1.run(TUGIAssumingTransport.java:49) >> at java.security.AccessController.doPrivileged(Native Method) >> at javax.security.auth.Subject.doAs(Subject.java:415) >> at >> org.apache.hadoop.security.UserGroupInformation.doAs(UserGroupInformation.java:1657) >> at >> org.apache.hadoop.hive.thrift.client.TUGIAssumingTransport.open(TUGIAssumingTransport.java:49) >> at >> org.apache.hadoop.hive.metastore.HiveMetaStoreClient.open(HiveMetaStoreClient.java:420) >> at >> org.apache.hadoop.hive.metastore.HiveMetaStoreClient.<init>(HiveMetaStoreClient.java:236) >> at >> org.apache.hadoop.hive.metastore.HiveMetaStoreClient.<init>(HiveMetaStoreClient.java:181) >> at >> com.taobao.zeus.store.CliTableManager.initClient(CliTableManager.java:60) >> at com.taobao.zeus.store.CliTableManager.<init>(CliTableManager.java:47) >> at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method) >> at >> sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:57) >> at >> sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45) >> at java.lang.reflect.Constructor.newInstance(Constructor.java:526) >> at >> org.springframework.beans.BeanUtils.instantiateClass(BeanUtils.java:100) >> at >> org.springframework.beans.factory.support.SimpleInstantiationStrategy.instantiate(SimpleInstantiationStrategy.java:61) >> at >> org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.instantiateBean(AbstractAutowireCapableBeanFactory.java:877) >> at >> org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBeanInstance(AbstractAutowireCapableBeanFactory.java:839) >> at >> org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.doCreateBean(AbstractAutowireCapableBeanFactory.java:440) >> at >> org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory$1.run(AbstractAutowireCapableBeanFactory.java:409) >> at java.security.AccessController.doPrivileged(Native Method) >> at >> org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBean(AbstractAutowireCapableBeanFactory.java:380) >> at >> org.springframework.beans.factory.support.AbstractBeanFactory$1.getObject(AbstractBeanFactory.java:264) >> at >> org.springframework.beans.factory.support.DefaultSingletonBeanRegistry.getSingleton(DefaultSingletonBeanRegistry.java:222) >> at >> org.springframework.beans.factory.support.AbstractBeanFactory.doGetBean(AbstractBeanFactory.java:261) >> at >> org.springframework.beans.factory.support.AbstractBeanFactory.getBean(AbstractBeanFactory.java:185) >> at >> org.springframework.beans.factory.support.AbstractBeanFactory.getBean(AbstractBeanFactory.java:164) >> at >> org.springframework.beans.factory.support.DefaultListableBeanFactory.findAutowireCandidates(DefaultListableBeanFactory.java:671) >> at >> org.springframework.beans.factory.support.DefaultListableBeanFactory.resolveDependency(DefaultListableBeanFactory.java:610) >> at >> org.springframework.beans.factory.annotation.AutowiredAnnotationBeanPostProcessor$AutowiredFieldElement.inject(AutowiredAnnotationBeanPostProcessor.java:412) >> at >> org.springframework.beans.factory.annotation.InjectionMetadata.injectFields(InjectionMetadata.java:105) >> at >> org.springframework.beans.factory.annotation.AutowiredAnnotationBeanPostProcessor.postProcessAfterInstantiation(AutowiredAnnotationBeanPostProcessor.java:240) >> at >> org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.populateBean(AbstractAutowireCapableBeanFactory.java:959) >> at >> org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.doCreateBean(AbstractAutowireCapableBeanFactory.java:472) >> at >> org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory$1.run(AbstractAutowireCapableBeanFactory.java:409) >> at java.security.AccessController.doPrivileged(Native Method) >> at >> org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBean(AbstractAutowireCapableBeanFactory.java:380) >> at >> org.springframework.beans.factory.support.AbstractBeanFactory$1.getObject(AbstractBeanFactory.java:264) >> at >> org.springframework.beans.factory.support.DefaultSingletonBeanRegistry.getSingleton(DefaultSingletonBeanRegistry.java:222) >> at >> org.springframework.beans.factory.support.AbstractBeanFactory.doGetBean(AbstractBeanFactory.java:261) >> at >> org.springframework.beans.factory.support.AbstractBeanFactory.getBean(AbstractBeanFactory.java:185) >> at >> org.springframework.beans.factory.support.AbstractBeanFactory.getBean(AbstractBeanFactory.java:164) >> at >> org.springframework.beans.factory.support.DefaultListableBeanFactory.preInstantiateSingletons(DefaultListableBeanFactory.java:429) >> at >> org.springframework.context.support.AbstractApplicationContext.finishBeanFactoryInitialization(AbstractApplicationContext.java:728) >> at >> org.springframework.context.support.AbstractApplicationContext.refresh(AbstractApplicationContext.java:380) >> at >> org.springframework.web.context.ContextLoader.createWebApplicationContext(ContextLoader.java:255) >> at >> org.springframework.web.context.ContextLoader.initWebApplicationContext(ContextLoader.java:199) >> at >> org.springframework.web.context.ContextLoaderListener.contextInitialized(ContextLoaderListener.java:45) >> at >> org.eclipse.jetty.server.handler.ContextHandler.callContextInitialized(ContextHandler.java:800) >> at >> org.eclipse.jetty.servlet.ServletContextHandler.callContextInitialized(ServletContextHandler.java:444) >> at >> org.eclipse.jetty.server.handler.ContextHandler.startContext(ContextHandler.java:791) >> at >> org.eclipse.jetty.servlet.ServletContextHandler.startContext(ServletContextHandler.java:294) >> at >> org.eclipse.jetty.webapp.WebAppContext.startWebapp(WebAppContext.java:1349) >> at >> org.eclipse.jetty.webapp.WebAppContext.startContext(WebAppContext.java:1342) >> at >> org.eclipse.jetty.server.handler.ContextHandler.doStart(ContextHandler.java:741) >> at org.eclipse.jetty.webapp.WebAppContext.doStart(WebAppContext.java:505) >> at >> org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:68) >> at >> org.eclipse.jetty.deploy.bindings.StandardStarter.processBinding(StandardStarter.java:41) >> at >> org.eclipse.jetty.deploy.AppLifeCycle.runBindings(AppLifeCycle.java:186) >> at >> org.eclipse.jetty.deploy.DeploymentManager.requestAppGoal(DeploymentManager.java:498) >> at >> org.eclipse.jetty.deploy.DeploymentManager.addApp(DeploymentManager.java:146) >> at >> org.eclipse.jetty.deploy.providers.ScanningAppProvider.fileAdded(ScanningAppProvider.java:180) >> at >> org.eclipse.jetty.deploy.providers.WebAppProvider.fileAdded(WebAppProvider.java:440) >> at >> org.eclipse.jetty.deploy.providers.ScanningAppProvider$1.fileAdded(ScanningAppProvider.java:64) >> at org.eclipse.jetty.util.Scanner.reportAddition(Scanner.java:609) >> at org.eclipse.jetty.util.Scanner.reportDifferences(Scanner.java:528) >> at org.eclipse.jetty.util.Scanner.scan(Scanner.java:391) >> at org.eclipse.jetty.util.Scanner.doStart(Scanner.java:313) >> at >> org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:68) >> at >> org.eclipse.jetty.deploy.providers.ScanningAppProvider.doStart(ScanningAppProvider.java:150) >> at >> org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:68) >> at >> org.eclipse.jetty.deploy.DeploymentManager.startAppProvider(DeploymentManager.java:560) >> at >> org.eclipse.jetty.deploy.DeploymentManager.doStart(DeploymentManager.java:235) >> at >> org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:68) >> at >> org.eclipse.jetty.util.component.ContainerLifeCycle.start(ContainerLifeCycle.java:132) >> at org.eclipse.jetty.server.Server.start(Server.java:387) >> at >> org.eclipse.jetty.util.component.ContainerLifeCycle.doStart(ContainerLifeCycle.java:114) >> at >> org.eclipse.jetty.server.handler.AbstractHandler.doStart(AbstractHandler.java:61) >> at org.eclipse.jetty.server.Server.doStart(Server.java:354) >> at >> org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:68) >> at >> org.eclipse.jetty.xml.XmlConfiguration$1.run(XmlConfiguration.java:1255) >> at java.security.AccessController.doPrivileged(Native Method) >> at org.eclipse.jetty.xml.XmlConfiguration.main(XmlConfiguration.java:1174) >> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) >> at >> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57) >> at >> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) >> at java.lang.reflect.Method.invoke(Method.java:606) >> at org.eclipse.jetty.start.Main.invokeMain(Main.java:321) >> at org.eclipse.jetty.start.Main.start(Main.java:817) >> at org.eclipse.jetty.start.Main.main(Main.java:112) >> Caused by: GSSException: No valid credentials provided (Mechanism level: >> Failed to find any Kerberos tgt) >> at >> sun.security.jgss.krb5.Krb5InitCredential.getInstance(Krb5InitCredential.java:147) >> at >> sun.security.jgss.krb5.Krb5MechFactory.getCredentialElement(Krb5MechFactory.java:121) >> at >> sun.security.jgss.krb5.Krb5MechFactory.getMechanismContext(Krb5MechFactory.java:187) >> at >> sun.security.jgss.GSSManagerImpl.getMechanismContext(GSSManagerImpl.java:223) >> at >> sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:212) >> at >> sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:179) >> at >> com.sun.security.sasl.gsskerb.GssKrb5Client.evaluateChallenge(GssKrb5Client.java:193) >> ... 94 more > > > Appreciated for your advice. > Kind Regards, Wenxing >
