1. 首頁
  2. 問答
  3. 可以通過直線連接到配置單元,但不能連接到java。錯誤無法使用JDBC打開客戶端傳輸Uri GSS啓動失敗

可以通過直線連接到配置單元,但不能連接到java。錯誤無法使用JDBC打開客戶端傳輸Uri GSS啓動失敗

2017-08-08 49 views
0

我對啓用了kerberos的遠程hdfs集羣具有訪問權限。當我嘗試使用直線連接時可以通過直線連接到配置單元,但不能連接到java。錯誤無法使用JDBC打開客戶端傳輸Uri GSS啓動失敗

beeline -u "jdbc:hive2://host:port/arstel;principal=principal"

連接成功。

但是,當我寫一個Java應用程序,並使用相同的JDBC開放的,我得到

ERROR transport.TSaslTransport: SASL negotiation failure 
javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level: Failed to find any Kerberos tgt)] 
Caused by: GSSException: No valid credentials provided (Mechanism level: Failed to find any Kerberos tgt) 
jdbc.HiveConnection: Could not open client transport with JDBC Uri: jdbc:hive2://host:port/arstel;principal=principal 
Exception in thread "main" java.sql.SQLException: Could not open client transport with JDBC Uri: jdbc:hive2://host:port/arstel;principal=principal: GSS initiate failed 
Caused by: org.apache.thrift.transport.TTransportException: GSS initiate failed

我的應用程序

public class RecordController { 
private static String driverName = "org.apache.hive.jdbc.HiveDriver"; 

public static void main(String[] args) throws SQLException, ClassNotFoundException { 
    Class.forName(driverName); 
    Connection con = DriverManager 
        .getConnection("jdbc:hive2://host:port/arstel;principal=principal"); 
    Statement stmt = con.createStatement(); 
    String tableName = "evkuzmin_testHiveDriverTable"; 
    stmt.execute("drop table if exists " + tableName); 
    stmt.execute("create table " + tableName + " (key int, value string)"); 
    } 
}

爲什麼會發生這種情況,我怎麼能解決呢?

我也試過這個。同樣的結果。

getConnection("jdbc:hive2://host:port/arstel;principal=principal;" + 
             "auth=kerberos;" + 
             "kerberosAuthType=fromSubject");

編輯

我沒有密鑰表。在閱讀了堆棧和here後,我創建了一個指令。然後,我添加屬性,以我的Java文件,這樣

Class.forName(driverName); 
System.setProperty("java.security.auth.login.config","gss-jaas.conf"); 
System.setProperty("sun.security.jgss.debug","true"); 
System.setProperty("javax.security.auth.useSubjectCredsOnly","false"); 
System.setProperty("java.security.krb5.conf","krb5.conf");

後,我加入到resources

GSS-的Jaas.conf

com.sun.security.jgss.initiate { 
    com.sun.security.auth.module.Krb5LoginModule=required 
    useKeyTab=true 
    useTicketCache=false 
    principal="hive/[email protected]" 
    doNotPrompt=true 
    keyTab="EvKuzmin.keytab" 
    debug=true; 
}

和krb5.conf的

[libdefaults] 
renew_lifetime = 7d 
forwardable = true 
default_realm = DOMAIN 
ticket_lifetime = 24h 
dns_lookup_realm = false 
dns_lookup_kdc = false 

[realms] 
DOMAIN = { 
    admin_server = ms-dcs.DOMAIN 
    kdc = ms-dcs.DOMAIN 
} 

[domain_realm] 
.DOMAIN = DOMAIN 
DOMAIN = DOMAIN

然後錯誤改變了

java.sql.SQLException: Could not create secure connection to jdbc:hive2://host:port/arstel;principal=hive/principal;auth=kerberos;kerberosAuthType=fromSubject: Failed to open client transport 
Caused by: javax.security.sasl.SaslException: Failed to open client transport [Caused by java.io.IOException: Could not instantiate SASL transport] 
Caused by: java.io.IOException: Could not instantiate SASL transport 
Caused by: javax.security.sasl.SaslException: Failure to initialize security context [Caused by GSSException: Invalid name provided (Mechanism level: Cannot locate default realm)] 
Caused by: GSSException: Invalid name provided (Mechanism level: Cannot locate default realm)

ALSO

有alrady這裏密鑰表

Keytab name: FILE:/etc/krb5.keytab

但我不知道什麼是它的領域或如何使用它+我沒有訪問該文件夾。

EDIT2 2017-08-09

嘗試通過UserGroupInformation進行操作。遇到錯誤

Exception in thread "main" java.lang.IllegalArgumentException: Invalid attribute value for hadoop.security.authentication of Kerberos 
     at org.apache.hadoop.security.UserGroupInformation.initialize(UserGroupInformation.java:200) 
     at org.apache.hadoop.security.UserGroupInformation.setConfiguration(UserGroupInformation.java:227) 
     at com.hive.connect.controller.RecordController.main(RecordController.java:20)

EDIT3 2017年8月10日 使用用戶組

public class RecordController { 
    private static String driverName = "org.apache.hive.jdbc.HiveDriver"; 

    public static void main(String[] args) throws SQLException, ClassNotFoundException, IOException { 
    Configuration conf = new Configuration(); 
    conf.set("hadoop.security.authentication", "kerberos"); 
    UserGroupInformation.setConfiguration(conf); 
    UserGroupInformation.loginUserFromKeytab("hive/principal", "EvKuzmin.keytab"); 
    Class.forName("org.apache.hive.jdbc.HiveDriver"); 
    Connection con = DriverManager 
         .getConnection("jdbc:hive2://host:port/arstel;" + 
              "principal=hive/principal;" + 
              "tez.queue.name=adhoc;" + 
              "hive.execution.engine=tez;" + 
              "mapreduce.job.reduces=1;");

錯誤

java.io.IOException: Login failure for hive/principal from keytab EvKuzmin.keytab 
    at org.apache.hadoop.security.UserGroupInformation.loginUserFromKeytab(UserGroupInformation.java:695) 
    at com.hive.connect.controller.RecordController.main(RecordController.java:22) 
Caused by: javax.security.auth.login.LoginException: Unable to obtain password from user

來源

2017-08-08 Evgenii

+0

您是否創建了一個keytab?你在什麼配置文件中指定它? –

+0

使用'UserGroupInformation'類使用keytab登錄。 – philantrovert

+0

@T更新了我的文章。 – Evgenii

回答

0

最後,我改變了我的krb5。CONF看起來像這樣

[libdefaults] 
renew_lifetime = 7d 
forwardable = true 
default_realm = DOMAIN 
ticket_lifetime = 24h 
dns_lookup_realm = false 
dns_lookup_kdc = false 

[realms] 
DOMAIN = { 
    admin_server = ms-dcs.DOMAIN 
    kdc = ms-dcs.DOMAIN 
} 

[domain_realm] 
.DOMAIN = DOMAIN 
DOMAIN = DOMAIN

我的Java代碼

public class RecordController { 
    private static String driverName = "org.apache.hive.jdbc.HiveDriver"; 

    public static void main(String[] args) throws SQLException, ClassNotFoundException, IOException { 
    Class.forName(driverName); 
    System.setProperty("javax.security.auth.useSubjectCredsOnly","false"); 
    System.setProperty("java.security.krb5.conf","krb5.conf"); 

    Connection con = DriverManager 
         .getConnection("jdbc:hive2://host:port/arstel;" + 
              "principal=hive/[email protected];" + 
              "auth=kerberos;" + 
              "kerberosAuthType=fromSubject");

編輯

當我啓動羣集我不需要輸入密碼和登錄,而是在本地機器上我做的窗戶。

來源

2017-08-09 08:24:32 Evgenii

相關問題

 相關問題