Thanks to Shkti. Will have a try immediately. On Thu, Jul 27, 2017 at 11:15 AM, shakti singh Shekhawat < shaktisingh.shekhawa...@gmail.com> wrote:
> Hi Wenxing, > > We recently had the same GSS Tgt issue when we moved to a Kerberized > cluster. The solution that worked for us was "Create a file to define Java > krb5login and name it as jaas.conf or jaas.java". Jaas authentication makes > Java applications independent of underlying authentication technology. > > Please refer the below link from Oracle (or search for "How to add jaas > configuration" in Google to see the 1st link in case the below link does > not work) for your application. > http://docs.oracle.com/javase/7/docs/technotes/guides/ > security/jgss/tutorials/LoginConfigFile.html > > Thanks, > Shakti Singh Shekhawat > > On Wed, Jul 26, 2017 at 10:42 PM wenxing zheng <wenxing.zh...@gmail.com> > wrote: > >> Dear all, >> >> We have a Hive in 2.1.1 and a web application running against the Hive >> server. Before enabling the Kerberos, everything is OK. But after enabling >> the Kerberos, it always failed to do the authentication. >> >> - web application runs with: Jetty, hive client version: 1.2.1 and >> JDK 1.7 >> - Hive runs with JDK 1.8 >> - but both JDKs are running with JCE jars. >> >> >> Followings are the errors: >> >>> >>> 2017-07-27 10:29:16,622 INFO hive.metastore:Trying to connect to >>> metastore with URI thrift://hdp-cli-01.dataservice.net:9083 >>> 2017-07-27 10:29:16,793 WARN org.apache.hadoop.util.NativeCodeLoader:Unable >>> to load native-hadoop library for your platform... using builtin-java >>> classes where applicable >>> 2017-07-27 10:29:16,873 ERROR >>> org.apache.thrift.transport.TSaslTransport:SASL >>> negotiation failure >>> javax.security.sasl.SaslException: GSS initiate failed [Caused by >>> GSSException: No valid credentials provided (Mechanism level: Failed to >>> find any Kerberos tgt)] >>> at com.sun.security.sasl.gsskerb.GssKrb5Client.evaluateChallenge( >>> GssKrb5Client.java:212) >>> at org.apache.thrift.transport.TSaslClientTransport. >>> handleSaslStartMessage(TSaslClientTransport.java:94) >>> at org.apache.thrift.transport.TSaslTransport.open( >>> TSaslTransport.java:271) >>> at org.apache.thrift.transport.TSaslClientTransport.open( >>> TSaslClientTransport.java:37) >>> at org.apache.hadoop.hive.thrift.client.TUGIAssumingTransport$ >>> 1.run(TUGIAssumingTransport.java:52) >>> at org.apache.hadoop.hive.thrift.client.TUGIAssumingTransport$ >>> 1.run(TUGIAssumingTransport.java:49) >>> at java.security.AccessController.doPrivileged(Native Method) >>> at javax.security.auth.Subject.doAs(Subject.java:415) >>> at org.apache.hadoop.security.UserGroupInformation.doAs( >>> UserGroupInformation.java:1657) >>> at org.apache.hadoop.hive.thrift.client.TUGIAssumingTransport. >>> open(TUGIAssumingTransport.java:49) >>> at org.apache.hadoop.hive.metastore.HiveMetaStoreClient. >>> open(HiveMetaStoreClient.java:420) >>> at org.apache.hadoop.hive.metastore.HiveMetaStoreClient. >>> <init>(HiveMetaStoreClient.java:236) >>> at org.apache.hadoop.hive.metastore.HiveMetaStoreClient. >>> <init>(HiveMetaStoreClient.java:181) >>> at com.taobao.zeus.store.CliTableManager.initClient( >>> CliTableManager.java:60) >>> at com.taobao.zeus.store.CliTableManager.<init>(CliTableManager.java:47) >>> at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method) >>> at sun.reflect.NativeConstructorAccessorImpl.newInstance( >>> NativeConstructorAccessorImpl.java:57) >>> at sun.reflect.DelegatingConstructorAccessorImpl.newInstance( >>> DelegatingConstructorAccessorImpl.java:45) >>> at java.lang.reflect.Constructor.newInstance(Constructor.java:526) >>> at org.springframework.beans.BeanUtils.instantiateClass( >>> BeanUtils.java:100) >>> at org.springframework.beans.factory.support. >>> SimpleInstantiationStrategy.instantiate(SimpleInstantiationStrategy. >>> java:61) >>> at org.springframework.beans.factory.support. >>> AbstractAutowireCapableBeanFactory.instantiateBean( >>> AbstractAutowireCapableBeanFactory.java:877) >>> at org.springframework.beans.factory.support. >>> AbstractAutowireCapableBeanFactory.createBeanInstance( >>> AbstractAutowireCapableBeanFactory.java:839) >>> at org.springframework.beans.factory.support. >>> AbstractAutowireCapableBeanFactory.doCreateBean( >>> AbstractAutowireCapableBeanFactory.java:440) >>> at org.springframework.beans.factory.support. >>> AbstractAutowireCapableBeanFactory$1.run(AbstractAutowireCapableBeanFac >>> tory.java:409) >>> at java.security.AccessController.doPrivileged(Native Method) >>> at org.springframework.beans.factory.support. >>> AbstractAutowireCapableBeanFactory.createBean( >>> AbstractAutowireCapableBeanFactory.java:380) >>> at org.springframework.beans.factory.support.AbstractBeanFactory$1. >>> getObject(AbstractBeanFactory.java:264) >>> at org.springframework.beans.factory.support. >>> DefaultSingletonBeanRegistry.getSingleton(DefaultSingletonBeanRegistry. >>> java:222) >>> at org.springframework.beans.factory.support. >>> AbstractBeanFactory.doGetBean(AbstractBeanFactory.java:261) >>> at org.springframework.beans.factory.support. >>> AbstractBeanFactory.getBean(AbstractBeanFactory.java:185) >>> at org.springframework.beans.factory.support. >>> AbstractBeanFactory.getBean(AbstractBeanFactory.java:164) >>> at org.springframework.beans.factory.support.DefaultListableBeanFactory. >>> findAutowireCandidates(DefaultListableBeanFactory.java:671) >>> at org.springframework.beans.factory.support.DefaultListableBeanFactory. >>> resolveDependency(DefaultListableBeanFactory.java:610) >>> at org.springframework.beans.factory.annotation. >>> AutowiredAnnotationBeanPostProcessor$AutowiredFieldElement.inject( >>> AutowiredAnnotationBeanPostProcessor.java:412) >>> at org.springframework.beans.factory.annotation.InjectionMetadata. >>> injectFields(InjectionMetadata.java:105) >>> at org.springframework.beans.factory.annotation. >>> AutowiredAnnotationBeanPostProcessor.postProcessAfterInstantiation( >>> AutowiredAnnotationBeanPostProcessor.java:240) >>> at org.springframework.beans.factory.support. >>> AbstractAutowireCapableBeanFactory.populateBean( >>> AbstractAutowireCapableBeanFactory.java:959) >>> at org.springframework.beans.factory.support. >>> AbstractAutowireCapableBeanFactory.doCreateBean( >>> AbstractAutowireCapableBeanFactory.java:472) >>> at org.springframework.beans.factory.support. >>> AbstractAutowireCapableBeanFactory$1.run(AbstractAutowireCapableBeanFac >>> tory.java:409) >>> at java.security.AccessController.doPrivileged(Native Method) >>> at org.springframework.beans.factory.support. >>> AbstractAutowireCapableBeanFactory.createBean( >>> AbstractAutowireCapableBeanFactory.java:380) >>> at org.springframework.beans.factory.support.AbstractBeanFactory$1. >>> getObject(AbstractBeanFactory.java:264) >>> at org.springframework.beans.factory.support. >>> DefaultSingletonBeanRegistry.getSingleton(DefaultSingletonBeanRegistry. >>> java:222) >>> at org.springframework.beans.factory.support. >>> AbstractBeanFactory.doGetBean(AbstractBeanFactory.java:261) >>> at org.springframework.beans.factory.support. >>> AbstractBeanFactory.getBean(AbstractBeanFactory.java:185) >>> at org.springframework.beans.factory.support. >>> AbstractBeanFactory.getBean(AbstractBeanFactory.java:164) >>> at org.springframework.beans.factory.support.DefaultListableBeanFactory. >>> preInstantiateSingletons(DefaultListableBeanFactory.java:429) >>> at org.springframework.context.support.AbstractApplicationContext. >>> finishBeanFactoryInitialization(AbstractApplicationContext.java:728) >>> at org.springframework.context.support.AbstractApplicationContext. >>> refresh(AbstractApplicationContext.java:380) >>> at org.springframework.web.context.ContextLoader. >>> createWebApplicationContext(ContextLoader.java:255) >>> at org.springframework.web.context.ContextLoader. >>> initWebApplicationContext(ContextLoader.java:199) >>> at org.springframework.web.context.ContextLoaderListener. >>> contextInitialized(ContextLoaderListener.java:45) >>> at org.eclipse.jetty.server.handler.ContextHandler. >>> callContextInitialized(ContextHandler.java:800) >>> at org.eclipse.jetty.servlet.ServletContextHandler. >>> callContextInitialized(ServletContextHandler.java:444) >>> at org.eclipse.jetty.server.handler.ContextHandler. >>> startContext(ContextHandler.java:791) >>> at org.eclipse.jetty.servlet.ServletContextHandler.startContext( >>> ServletContextHandler.java:294) >>> at org.eclipse.jetty.webapp.WebAppContext.startWebapp( >>> WebAppContext.java:1349) >>> at org.eclipse.jetty.webapp.WebAppContext.startContext( >>> WebAppContext.java:1342) >>> at org.eclipse.jetty.server.handler.ContextHandler. >>> doStart(ContextHandler.java:741) >>> at org.eclipse.jetty.webapp.WebAppContext.doStart( >>> WebAppContext.java:505) >>> at org.eclipse.jetty.util.component.AbstractLifeCycle. >>> start(AbstractLifeCycle.java:68) >>> at org.eclipse.jetty.deploy.bindings.StandardStarter.processBinding( >>> StandardStarter.java:41) >>> at org.eclipse.jetty.deploy.AppLifeCycle.runBindings( >>> AppLifeCycle.java:186) >>> at org.eclipse.jetty.deploy.DeploymentManager.requestAppGoal( >>> DeploymentManager.java:498) >>> at org.eclipse.jetty.deploy.DeploymentManager.addApp( >>> DeploymentManager.java:146) >>> at org.eclipse.jetty.deploy.providers.ScanningAppProvider. >>> fileAdded(ScanningAppProvider.java:180) >>> at org.eclipse.jetty.deploy.providers.WebAppProvider. >>> fileAdded(WebAppProvider.java:440) >>> at org.eclipse.jetty.deploy.providers.ScanningAppProvider$1.fileAdded( >>> ScanningAppProvider.java:64) >>> at org.eclipse.jetty.util.Scanner.reportAddition(Scanner.java:609) >>> at org.eclipse.jetty.util.Scanner.reportDifferences(Scanner.java:528) >>> at org.eclipse.jetty.util.Scanner.scan(Scanner.java:391) >>> at org.eclipse.jetty.util.Scanner.doStart(Scanner.java:313) >>> at org.eclipse.jetty.util.component.AbstractLifeCycle. >>> start(AbstractLifeCycle.java:68) >>> at org.eclipse.jetty.deploy.providers.ScanningAppProvider. >>> doStart(ScanningAppProvider.java:150) >>> at org.eclipse.jetty.util.component.AbstractLifeCycle. >>> start(AbstractLifeCycle.java:68) >>> at org.eclipse.jetty.deploy.DeploymentManager.startAppProvider( >>> DeploymentManager.java:560) >>> at org.eclipse.jetty.deploy.DeploymentManager.doStart( >>> DeploymentManager.java:235) >>> at org.eclipse.jetty.util.component.AbstractLifeCycle. >>> start(AbstractLifeCycle.java:68) >>> at org.eclipse.jetty.util.component.ContainerLifeCycle. >>> start(ContainerLifeCycle.java:132) >>> at org.eclipse.jetty.server.Server.start(Server.java:387) >>> at org.eclipse.jetty.util.component.ContainerLifeCycle. >>> doStart(ContainerLifeCycle.java:114) >>> at org.eclipse.jetty.server.handler.AbstractHandler. >>> doStart(AbstractHandler.java:61) >>> at org.eclipse.jetty.server.Server.doStart(Server.java:354) >>> at org.eclipse.jetty.util.component.AbstractLifeCycle. >>> start(AbstractLifeCycle.java:68) >>> at org.eclipse.jetty.xml.XmlConfiguration$1.run( >>> XmlConfiguration.java:1255) >>> at java.security.AccessController.doPrivileged(Native Method) >>> at org.eclipse.jetty.xml.XmlConfiguration.main( >>> XmlConfiguration.java:1174) >>> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) >>> at sun.reflect.NativeMethodAccessorImpl.invoke( >>> NativeMethodAccessorImpl.java:57) >>> at sun.reflect.DelegatingMethodAccessorImpl.invoke( >>> DelegatingMethodAccessorImpl.java:43) >>> at java.lang.reflect.Method.invoke(Method.java:606) >>> at org.eclipse.jetty.start.Main.invokeMain(Main.java:321) >>> at org.eclipse.jetty.start.Main.start(Main.java:817) >>> at org.eclipse.jetty.start.Main.main(Main.java:112) >>> Caused by: GSSException: No valid credentials provided (Mechanism level: >>> Failed to find any Kerberos tgt) >>> at sun.security.jgss.krb5.Krb5InitCredential.getInstance( >>> Krb5InitCredential.java:147) >>> at sun.security.jgss.krb5.Krb5MechFactory.getCredentialElement( >>> Krb5MechFactory.java:121) >>> at sun.security.jgss.krb5.Krb5MechFactory.getMechanismContext( >>> Krb5MechFactory.java:187) >>> at sun.security.jgss.GSSManagerImpl.getMechanismContext( >>> GSSManagerImpl.java:223) >>> at sun.security.jgss.GSSContextImpl.initSecContext( >>> GSSContextImpl.java:212) >>> at sun.security.jgss.GSSContextImpl.initSecContext( >>> GSSContextImpl.java:179) >>> at com.sun.security.sasl.gsskerb.GssKrb5Client.evaluateChallenge( >>> GssKrb5Client.java:193) >>> ... 94 more >> >> >> Appreciated for your advice. >> Kind Regards, Wenxing >> >
