0
我對啓用了kerberos的遠程hdfs集羣具有訪問權限。當我嘗試使用直線連接時可以通過直線連接到配置單元,但不能連接到java。錯誤無法使用JDBC打開客戶端傳輸Uri GSS啓動失敗
beeline -u "jdbc:hive2://host:port/arstel;principal=principal"
連接成功。
但是,當我寫一個Java應用程序,並使用相同的JDBC開放的,我得到
ERROR transport.TSaslTransport: SASL negotiation failure
javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level: Failed to find any Kerberos tgt)]
Caused by: GSSException: No valid credentials provided (Mechanism level: Failed to find any Kerberos tgt)
jdbc.HiveConnection: Could not open client transport with JDBC Uri: jdbc:hive2://host:port/arstel;principal=principal
Exception in thread "main" java.sql.SQLException: Could not open client transport with JDBC Uri: jdbc:hive2://host:port/arstel;principal=principal: GSS initiate failed
Caused by: org.apache.thrift.transport.TTransportException: GSS initiate failed
我的應用程序
public class RecordController {
private static String driverName = "org.apache.hive.jdbc.HiveDriver";
public static void main(String[] args) throws SQLException, ClassNotFoundException {
Class.forName(driverName);
Connection con = DriverManager
.getConnection("jdbc:hive2://host:port/arstel;principal=principal");
Statement stmt = con.createStatement();
String tableName = "evkuzmin_testHiveDriverTable";
stmt.execute("drop table if exists " + tableName);
stmt.execute("create table " + tableName + " (key int, value string)");
}
}
爲什麼會發生這種情況,我怎麼能解決呢?
我也試過這個。同樣的結果。
getConnection("jdbc:hive2://host:port/arstel;principal=principal;" +
"auth=kerberos;" +
"kerberosAuthType=fromSubject");
編輯
我沒有密鑰表。在閱讀了堆棧和here後,我創建了一個指令。然後,我添加屬性,以我的Java文件,這樣
Class.forName(driverName);
System.setProperty("java.security.auth.login.config","gss-jaas.conf");
System.setProperty("sun.security.jgss.debug","true");
System.setProperty("javax.security.auth.useSubjectCredsOnly","false");
System.setProperty("java.security.krb5.conf","krb5.conf");
後,我加入到resources
GSS-的Jaas.conf
com.sun.security.jgss.initiate {
com.sun.security.auth.module.Krb5LoginModule=required
useKeyTab=true
useTicketCache=false
principal="hive/[email protected]"
doNotPrompt=true
keyTab="EvKuzmin.keytab"
debug=true;
}
和krb5.conf的
[libdefaults]
renew_lifetime = 7d
forwardable = true
default_realm = DOMAIN
ticket_lifetime = 24h
dns_lookup_realm = false
dns_lookup_kdc = false
[realms]
DOMAIN = {
admin_server = ms-dcs.DOMAIN
kdc = ms-dcs.DOMAIN
}
[domain_realm]
.DOMAIN = DOMAIN
DOMAIN = DOMAIN
然後錯誤改變了
java.sql.SQLException: Could not create secure connection to jdbc:hive2://host:port/arstel;principal=hive/principal;auth=kerberos;kerberosAuthType=fromSubject: Failed to open client transport
Caused by: javax.security.sasl.SaslException: Failed to open client transport [Caused by java.io.IOException: Could not instantiate SASL transport]
Caused by: java.io.IOException: Could not instantiate SASL transport
Caused by: javax.security.sasl.SaslException: Failure to initialize security context [Caused by GSSException: Invalid name provided (Mechanism level: Cannot locate default realm)]
Caused by: GSSException: Invalid name provided (Mechanism level: Cannot locate default realm)
ALSO
有alrady這裏密鑰表
Keytab name: FILE:/etc/krb5.keytab
但我不知道什麼是它的領域或如何使用它+我沒有訪問該文件夾。
EDIT2 2017-08-09
嘗試通過UserGroupInformation進行操作。遇到錯誤
Exception in thread "main" java.lang.IllegalArgumentException: Invalid attribute value for hadoop.security.authentication of Kerberos
at org.apache.hadoop.security.UserGroupInformation.initialize(UserGroupInformation.java:200)
at org.apache.hadoop.security.UserGroupInformation.setConfiguration(UserGroupInformation.java:227)
at com.hive.connect.controller.RecordController.main(RecordController.java:20)
EDIT3 2017年8月10日 使用用戶組
public class RecordController {
private static String driverName = "org.apache.hive.jdbc.HiveDriver";
public static void main(String[] args) throws SQLException, ClassNotFoundException, IOException {
Configuration conf = new Configuration();
conf.set("hadoop.security.authentication", "kerberos");
UserGroupInformation.setConfiguration(conf);
UserGroupInformation.loginUserFromKeytab("hive/principal", "EvKuzmin.keytab");
Class.forName("org.apache.hive.jdbc.HiveDriver");
Connection con = DriverManager
.getConnection("jdbc:hive2://host:port/arstel;" +
"principal=hive/principal;" +
"tez.queue.name=adhoc;" +
"hive.execution.engine=tez;" +
"mapreduce.job.reduces=1;");
錯誤
java.io.IOException: Login failure for hive/principal from keytab EvKuzmin.keytab
at org.apache.hadoop.security.UserGroupInformation.loginUserFromKeytab(UserGroupInformation.java:695)
at com.hive.connect.controller.RecordController.main(RecordController.java:22)
Caused by: javax.security.auth.login.LoginException: Unable to obtain password from user
您是否創建了一個keytab?你在什麼配置文件中指定它? –
使用'UserGroupInformation'類使用keytab登錄。 – philantrovert
@T更新了我的文章。 – Evgenii