Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[SUPPORT] 希望连接hdfs和hive等组件支持kerberos认证 #127

Closed
YuangZhang opened this issue May 31, 2022 · 2 comments
Closed

[SUPPORT] 希望连接hdfs和hive等组件支持kerberos认证 #127

YuangZhang opened this issue May 31, 2022 · 2 comments
Labels
3.8.0 enhancement New feature or request
Milestone
v3.8.0

Comments

@YuangZhang
Copy link

YuangZhang commented May 31, 2022
edited by baisui1981
Loading

相关同学 @奋斗, 场景: oracle-> hive(3.1.1)
@baisui1981
Copy link
Member

baisui1981 commented May 31, 2022
edited
Loading

当服务端开启kerberos认证之后,客户端如果没有提交kerberos认证需要的相关信息,会报以下错误

Caused by: java.lang.RuntimeException: link faild:hdfs:https://xxxxx:8020/
at com.qlangtech.tis.hdfs.impl.HdfsFileSystemFactory$HdfsUtils.getFileSystem(HdfsFileSystemFactory.java:231)
at com.qlangtech.tis.hdfs.impl.HdfsFileSystemFactory.getFileSystem(HdfsFileSystemFactory.java:93)
at com.qlangtech.tis.plugin.datax.hudi.DataXHudiWriter.getFileSystem(DataXHudiWriter.java:95)
at com.qlangtech.tis.plugins.incr.flink.connector.hudi.streamscript.StreamAPIStyleFlinkStreamScriptCreator$HudiStreamTemplateData.createStreamerConfig(StreamAPIStyleFlinkStreamScriptCreator.java:99)
at com.qlangtech.tis.plugins.incr.flink.connector.hudi.streamscript.StreamAPIStyleFlinkStreamScriptCreator$HudiStreamTemplateData.getFlinkStreamerConfig(StreamAPIStyleFlinkStreamScriptCreator.java:85)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at org.apache.velocity.util.introspection.UberspectImpl$VelMethodImpl.doInvoke(UberspectImpl.java:571)
at org.apache.velocity.util.introspection.UberspectImpl$VelMethodImpl.invoke(UberspectImpl.java:554)
at org.apache.velocity.runtime.parser.node.ASTMethod.execute(ASTMethod.java:221)
... 203 more
Caused by: java.lang.RuntimeException: path:/
at com.qlangtech.tis.hdfs.impl.HdfsFileSystemFactory$HdfsUtils$1.listStatus(HdfsFileSystemFactory.java:215)
at com.qlangtech.tis.hdfs.impl.HdfsFileSystemFactory$HdfsUtils.getFileSystem(HdfsFileSystemFactory.java:225)
... 214 more
Caused by: org.apache.hadoop.security.AccessControlException: SIMPLE authentication is not enabled.  Available:[TOKEN, KERBEROS]
at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62)
at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
at java.lang.reflect.Constructor.newInstance(Constructor.java:423)
at org.apache.hadoop.ipc.RemoteException.instantiateException(RemoteException.java:106)
at org.apache.hadoop.ipc.RemoteException.unwrapRemoteException(RemoteException.java:73)
at org.apache.hadoop.hdfs.DFSClient.listPaths(DFSClient.java:2088)
at org.apache.hadoop.hdfs.DFSClient.listPaths(DFSClient.java:2069)
at org.apache.hadoop.hdfs.DistributedFileSystem.listStatusInternal(DistributedFileSystem.java:791)
at org.apache.hadoop.hdfs.DistributedFileSystem.access$700(DistributedFileSystem.java:106)
at org.apache.hadoop.hdfs.DistributedFileSystem$18.doCall(DistributedFileSystem.java:853)

参照:https://github.com/alibaba/DataX/blob/6c3fb66711bb606c6f5ca7d59ee5e5b705def6ec/hdfswriter/src/main/java/com/alibaba/datax/plugin/writer/hdfswriter/HdfsHelper.java#L92

@baisui1981 baisui1981 added enhancement New feature or request 3.8.0 labels May 31, 2022
@baisui1981 baisui1981 added 3.7.1 and removed 3.8.0 labels Nov 1, 2022
@baisui1981 baisui1981 added 3.8.0 and removed 3.7.1 labels Mar 29, 2023
@baisui1981 baisui1981 added this to the v3.8.0 milestone Apr 13, 2023
@baisui1981
Copy link
Member

baisui1981 commented Jul 18, 2023
edited
Loading

hive 启动发现 10000端口没有打开,查看 hive.log 发现以下异常信息

2023-07-17T11:12:09,975  INFO [main] thrift.TokenStoreDelegationTokenSecretManager: New master key with key id=0
2023-07-17T11:12:09,976  INFO [Thread[Thread-7,5,main]] thrift.TokenStoreDelegationTokenSecretManager: Starting expired delegation token remover thread, tokenRemoverScanInterval=60 min(s)
2023-07-17T11:12:09,977  INFO [Thread[Thread-7,5,main]] delegation.AbstractDelegationTokenSecretManager: Updating the current master key for generating delegation tokens
2023-07-17T11:12:09,977  INFO [Thread[Thread-7,5,main]] thrift.TokenStoreDelegationTokenSecretManager: New master key with key id=1
2023-07-17T11:12:09,979 ERROR [main] metastore.HiveMetaStore: org.apache.thrift.transport.TTransportException: Kerberos principal should have 3 parts: hadoop
        at org.apache.hadoop.hive.thrift.HadoopThriftAuthBridge$Server.createSaslServerTransportFactory(HadoopThriftAuthBridge.java:364)
        >>> 奇怪这里明明在调用hiveMetaStore 却调用到hadoop上的api上去了        
        --->at org.apache.hadoop.hive.thrift.HadoopThriftAuthBridge$Server.createTransportFactory(HadoopThriftAuthBridge.java:347)
        --->at org.apache.hadoop.hive.metastore.HiveMetaStore.startMetaStore(HiveMetaStore.java:7165)
        at org.apache.hadoop.hive.metastore.HiveMetaStore.main(HiveMetaStore.java:7076)
        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
        at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
        at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
        at java.lang.reflect.Method.invoke(Method.java:498)
        at org.apache.hadoop.util.RunJar.run(RunJar.java:234)
        at org.apache.hadoop.util.RunJar.main(RunJar.java:148)

2023-07-17T11:12:09,979 ERROR [main] metastore.HiveMetaStore: Metastore Thrift Server threw an exception...
org.apache.thrift.transport.TTransportException: Kerberos principal should have 3 parts: hadoop
        at org.apache.hadoop.hive.thrift.HadoopThriftAuthBridge$Server.createSaslServerTransportFactory(HadoopThriftAuthBridge.java:364) ~[hive-exec-2.3.7.jar:2.3.7]
        at org.apache.hadoop.hive.thrift.HadoopThriftAuthBridge$Server.createTransportFactory(HadoopThriftAuthBridge.java:347) ~[hive-exec-2.3.7.jar:2.3.7]
        at org.apache.hadoop.hive.metastore.HiveMetaStore.startMetaStore(HiveMetaStore.java:7165) ~[hive-exec-2.3.7.jar:2.3.7]
        at org.apache.hadoop.hive.metastore.HiveMetaStore.main(HiveMetaStore.java:7076) [hive-exec-2.3.7.jar:2.3.7]
        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) ~[?:1.8.0_191]
        at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) ~[?:1.8.0_191]
        at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) ~[?:1.8.0_191]
        at java.lang.reflect.Method.invoke(Method.java:498) ~[?:1.8.0_191]
        at org.apache.hadoop.util.RunJar.run(RunJar.java:234) [hadoop-common-2.8.4.jar:?]
        at org.apache.hadoop.util.RunJar.main(RunJar.java:148) [hadoop-common-2.8.4.jar:?]
2023-07-17T11:12:10,096  INFO [pool-2-thread-1] metastore.HiveMetaStore: Shutting down hive metastore.
2023-07-17T11:12:10,096  INFO [pool-2-thread-1] metastore.HiveMetaStore: SHUTDOWN_MSG:
/************************************************************
SHUTDOWN_MSG: Shutting down HiveMetaStore at baisui-test-1/192.168.28.200

查看UserGroupinfoinformation 中 commit方法:

/opt/app/hadoop/etc/hadoop/core-site.xml 添加配置

<?xml version="1.0" encoding="UTF-8"?>
<?xml-stylesheet type="text/xsl" href="configuration.xsl"?>
<configuration>
<property>
   <name>hadoop.security.authorization</name>
   <value>true</value>
</property>

<property>
   <name>hadoop.security.authentication</name>
   <value>kerberos</value>
</property>
</configuration>

再次重启之后发现以下异常,

Caused by: java.io.IOException: Login failure for tis/[email protected] from keytab /opt/app/hive/conf/tis.keytab: javax.security.auth.login.LoginException: Unable to obtain password from user

>>>>
发现 使用 YarnConfiguration.NM_PRINCIPAL
https://github.com/apache/hadoop/blob/c44823dadb73a3033f515329f70b2e3126fcb7be/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/java/org/apache/hadoop/yarn/server/nodemanager/NodeManager.java#L297C3-L300C4
protected void doSecureLogin() throws IOException {
    SecurityUtil.login(getConfig(), YarnConfiguration.NM_KEYTAB,
        YarnConfiguration.NM_PRINCIPAL);
  }
<<<<

        at org.apache.hadoop.security.UserGroupInformation.loginUserFromKeytab(UserGroupInformation.java:1062) ~[hadoop-common-2.8.4.jar:?]
        at org.apache.hive.service.auth.HiveAuthFactory.loginFromKeytab(HiveAuthFactory.java:236) ~[hive-service-2.3.7.jar:2.3.7]
        at org.apache.hive.service.cli.CLIService.init(CLIService.java:89) ~[hive-service-2.3.7.jar:2.3.7]
        ... 12 more
Caused by: javax.security.auth.login.LoginException: Unable to obtain password from user

        at com.sun.security.auth.module.Krb5LoginModule.promptForPass(Krb5LoginModule.java:897) ~[?:1.8.0_191]
        at com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:760) ~[?:1.8.0_191]
        at com.sun.security.auth.module.Krb5LoginModule.login(Krb5LoginModule.java:617) ~[?:1.8.0_191]
        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) ~[?:1.8.0_191]
        at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) ~[?:1.8.0_191]
        at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) ~[?:1.8.0_191]
        at java.lang.reflect.Method.invoke(Method.java:498) ~[?:1.8.0_191]
        at javax.security.auth.login.LoginContext.invoke(LoginContext.java:755) ~[?:1.8.0_191]
        at javax.security.auth.login.LoginContext.access$000(LoginContext.java:195) ~[?:1.8.0_191]
        at javax.security.auth.login.LoginContext$4.run(LoginContext.java:682) ~[?:1.8.0_191]
        at javax.security.auth.login.LoginContext$4.run(LoginContext.java:680) ~[?:1.8.0_191]
        at java.security.AccessController.doPrivileged(Native Method) ~[?:1.8.0_191]
        at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:680) ~[?:1.8.0_191]
        at javax.security.auth.login.LoginContext.login(LoginContext.java:587) ~[?:1.8.0_191]
        at org.apache.hadoop.security.UserGroupInformation.loginUserFromKeytab(UserGroupInformation.java:1053) ~[hadoop-common-2.8.4.jar:?]
        at org.apache.hive.service.auth.HiveAuthFactory.loginFromKeytab(HiveAuthFactory.java:236) ~[hive-service-2.3.7.jar:2.3.7]
        at org.apache.hive.service.cli.CLIService.init(CLIService.java:89) ~[hive-service-2.3.7.jar:2.3.7]
        ... 12 more

通过关键词提示,找到文章:https://knowledge.informatica.com/s/article/521829?language=en_US
使用命令: kinit -V -k -t /opt/app/hive/conf/tis.keytab [email protected]

由于hadoop 启动试用非root账户启动的,需要执行 chmod 777 /opt/app/hive/conf/tis.keytab 保证账户有读权限

返回:

Using default cache: persistent:0:0
Using principal: [email protected]
Using keytab: /opt/app/hive/conf/tis.keytab
kinit: Keytab contains no suitable keys for [email protected] while getting initial credentials

说明无法从KDC中获得凭证

经过调试发现是本地 /etc/krb5.conf 配置[realms.EXAMPLE.COM]修改即可

kinit -V -k -t /opt/app/hive/conf/tis.keytab tis/[email protected]
Using default cache: persistent:0:0
Using principal: tis/[email protected]
Using keytab: /opt/app/hive/conf/tis.keytab
Authenticated to Kerberos v5

再重启之后,发现hadoop 启动日志中有以下异常:

2023-07-17 15:23:09,296 FATAL org.apache.hadoop.yarn.server.resourcemanager.ResourceManager: Error starting ResourceManager
org.apache.hadoop.yarn.exceptions.YarnRuntimeException: Failed to login
        at org.apache.hadoop.yarn.server.resourcemanager.ResourceManager.serviceInit(ResourceManager.java:264)
        at org.apache.hadoop.service.AbstractService.init(AbstractService.java:163)
        at org.apache.hadoop.yarn.server.resourcemanager.ResourceManager.main(ResourceManager.java:1337)
Caused by: java.io.IOException: Login failure for hadoop from keytab /etc/krb5.keytab: javax.security.auth.login.LoginException: Unable to obtain password from user

        at org.apache.hadoop.security.UserGroupInformation.loginUserFromKeytab(UserGroupInformation.java:1062)
        at org.apache.hadoop.security.SecurityUtil.login(SecurityUtil.java:286)
        at org.apache.hadoop.yarn.server.resourcemanager.ResourceManager.doSecureLogin(ResourceManager.java:1187)
        at org.apache.hadoop.yarn.server.resourcemanager.ResourceManager.serviceInit(ResourceManager.java:262)
        ... 2 more
Caused by: javax.security.auth.login.LoginException: Unable to obtain password from user

        at com.sun.security.auth.module.Krb5LoginModule.promptForPass(Krb5LoginModule.java:897)
        at com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:760)

文件 /opt/app/hadoop/etc/hadoop/yarn-site.xml 中添加以下配置:

  <property>
    <name>yarn.nodemanager.principal</name>
    <value>tis/[email protected]</value>
  </property>

    <property>
    <name>yarn.nodemanager.keytab</name>
    <value>/opt/app/hive/conf/tis.keytab</value>
  </property>   
  

  <property>
    <name>yarn.resourcemanager.principal</name>
    <value>tis/[email protected]</value>
  </property>

    <property>
    <name>yarn.resourcemanager.keytab</name>
    <value>/opt/app/hive/conf/tis.keytab</value>
  </property>

Hive metadata 服务启动出错:

2023-07-18T13:04:06,750 ERROR [main] metastore.HiveMetaStore: org.apache.thrift.transport.TTransportException: java.io.IOException: Login failure for tis/[email protected] from keytab /opt/app/hive/conf/tis.keytab: javax.security.auth.login.LoginException: Unable to obtain password from user

        at org.apache.hadoop.hive.thrift.HadoopThriftAuthBridge$Server.<init>(HadoopThriftAuthBridge.java:327)
        at org.apache.hadoop.hive.thrift.HadoopThriftAuthBridge.createServer(HadoopThriftAuthBridge.java:101)
        at org.apache.hadoop.hive.metastore.HiveMetaStore.startMetaStore(HiveMetaStore.java:7157)
        at org.apache.hadoop.hive.metastore.HiveMetaStore.main(HiveMetaStore.java:7076)
        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
        at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
        at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
        at java.lang.reflect.Method.invoke(Method.java:498)
        at org.apache.hadoop.util.RunJar.run(RunJar.java:234)
        at org.apache.hadoop.util.RunJar.main(RunJar.java:148)
Caused by: java.io.IOException: Login failure for tis/[email protected] from keytab /opt/app/hive/conf/tis.keytab: javax.security.auth.login.LoginException: Unable to obtain password from user

        at org.apache.hadoop.security.UserGroupInformation.loginUserFromKeytab(UserGroupInformation.java:1062)
        at org.apache.hadoop.hive.thrift.HadoopThriftAuthBridge$Server.<init>(HadoopThriftAuthBridge.java:322)
        ... 9 more
Caused by: javax.security.auth.login.LoginException: Unable to obtain password from user

        at com.sun.security.auth.module.Krb5LoginModule.promptForPass(Krb5LoginModule.java:897)
        at com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:760)
        at com.sun.security.auth.module.Krb5LoginModule.login(Krb5LoginModule.java:617)
        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
        at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
        at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
        at java.lang.reflect.Method.invoke(Method.java:498)
        at javax.security.auth.login.LoginContext.invoke(LoginContext.java:755)
        at javax.security.auth.login.LoginContext.access$000(LoginContext.java:195)
        at javax.security.auth.login.LoginContext$4.run(LoginContext.java:682)
        at javax.security.auth.login.LoginContext$4.run(LoginContext.java:680)
        at java.security.AccessController.doPrivileged(Native Method)
        at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:680)
        at javax.security.auth.login.LoginContext.login(LoginContext.java:587)
        at org.apache.hadoop.security.UserGroupInformation.loginUserFromKeytab(UserGroupInformation.java:1053)
        ... 10 more

原因是:手动生成的keytab文件其owner是root,应该改成对应组件的系统用户
https://blog.csdn.net/zz_aiytag/article/details/105067703

执行chown之后再 重启,发现以下问题:

javax.security.sasl.SaslException: GSS initiate failed
        at com.sun.security.sasl.gsskerb.GssKrb5Client.evaluateChallenge(GssKrb5Client.java:211) ~[?:1.8.0_191]
        at org.apache.thrift.transport.TSaslClientTransport.handleSaslStartMessage(TSaslClientTransport.java:94) ~[hive-exec-2.3.7.jar:2.3.7]
        at org.apache.thrift.transport.TSaslTransport.open(TSaslTransport.java:271) ~[hive-exec-2.3.7.jar:2.3.7]
        at org.apache.thrift.transport.TSaslClientTransport.open(TSaslClientTransport.java:37) ~[hive-exec-2.3.7.jar:2.3.7]
        at org.apache.hadoop.hive.thrift.client.TUGIAssumingTransport$1.run(TUGIAssumingTransport.java:52) ~[hive-exec-2.3.7.jar:2.3.7]
        at org.apache.hadoop.hive.thrift.client.TUGIAssumingTransport$1.run(TUGIAssumingTransport.java:49) ~[hive-exec-2.3.7.jar:2.3.7]
        at java.security.AccessController.doPrivileged(Native Method) ~[?:1.8.0_191]
        at javax.security.auth.Subject.doAs(Subject.java:422) ~[?:1.8.0_191]
        at org.apache.hadoop.security.UserGroupInformation.doAs(UserGroupInformation.java:1840) ~[hadoop-common-2.8.4.jar:?]
        at org.apache.hadoop.hive.thrift.client.TUGIAssumingTransport.open(TUGIAssumingTransport.java:49) ~[hive-exec-2.3.7.jar:2.3.7]
        at org.apache.hadoop.hive.metastore.HiveMetaStoreClient.open(HiveMetaStoreClient.java:480) ~[hive-exec-2.3.7.jar:2.3.7]
        at org.apache.hadoop.hive.metastore.HiveMetaStoreClient.<init>(HiveMetaStoreClient.java:247) ~[hive-exec-2.3.7.jar:2.3.7]
        at org.apache.hadoop.hive.ql.metadata.SessionHiveMetaStoreClient.<init>(SessionHiveMetaStoreClient.java:70) ~[hive-exec-2.3.7.jar:2.3.7]
        at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method) ~[?:1.8.0_191]
        at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62) ~[?:1.8.0_191]
        at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45) ~[?:1.8.0_191]
        at java.lang.reflect.Constructor.newInstance(Constructor.java:423) ~[?:1.8.0_191]
        at org.apache.hadoop.hive.metastore.MetaStoreUtils.newInstance(MetaStoreUtils.java:1707) ~[hive-exec-2.3.7.jar:2.3.7]
        at org.apache.hadoop.hive.metastore.RetryingMetaStoreClient.<init>(RetryingMetaStoreClient.java:83) ~[hive-exec-2.3.7.jar:2.3.7]
        at org.apache.hadoop.hive.metastore.RetryingMetaStoreClient.getProxy(RetryingMetaStoreClient.java:133) ~[hive-exec-2.3.7.jar:2.3.7]
        at org.apache.hadoop.hive.metastore.RetryingMetaStoreClient.getProxy(RetryingMetaStoreClient.java:104) ~[hive-exec-2.3.7.jar:2.3.7]
        at org.apache.hadoop.hive.ql.metadata.Hive.createMetaStoreClient(Hive.java:3600) ~[hive-exec-2.3.7.jar:2.3.7]
        at org.apache.hadoop.hive.ql.metadata.Hive.getMSC(Hive.java:3652) ~[hive-exec-2.3.7.jar:2.3.7]
        at org.apache.hadoop.hive.ql.metadata.Hive.getMSC(Hive.java:3632) ~[hive-exec-2.3.7.jar:2.3.7]
        at org.apache.hadoop.hive.ql.metadata.Hive.getAllFunctions(Hive.java:3894) ~[hive-exec-2.3.7.jar:2.3.7]
        at org.apache.hadoop.hive.ql.metadata.Hive.reloadFunctions(Hive.java:248) ~[hive-exec-2.3.7.jar:2.3.7]
        at org.apache.hadoop.hive.ql.metadata.Hive.registerAllFunctionsOnce(Hive.java:231) ~[hive-exec-2.3.7.jar:2.3.7]
        at org.apache.hadoop.hive.ql.metadata.Hive.<init>(Hive.java:388) ~[hive-exec-2.3.7.jar:2.3.7]
        at org.apache.hadoop.hive.ql.metadata.Hive.create(Hive.java:332) ~[hive-exec-2.3.7.jar:2.3.7]
        at org.apache.hadoop.hive.ql.metadata.Hive.getInternal(Hive.java:312) ~[hive-exec-2.3.7.jar:2.3.7]
        at org.apache.hadoop.hive.ql.metadata.Hive.get(Hive.java:288) ~[hive-exec-2.3.7.jar:2.3.7]
        at org.apache.hadoop.hive.ql.session.SessionState.setAuthorizerV2Config(SessionState.java:917) ~[hive-exec-2.3.7.jar:2.3.7]
        at org.apache.hadoop.hive.ql.session.SessionState.setupAuth(SessionState.java:881) ~[hive-exec-2.3.7.jar:2.3.7]
        at org.apache.hadoop.hive.ql.session.SessionState.applyAuthorizationPolicy(SessionState.java:1687) ~[hive-exec-2.3.7.jar:2.3.7]
        at org.apache.hive.service.cli.CLIService.applyAuthorizationConfigPolicy(CLIService.java:130) ~[hive-service-2.3.7.jar:2.3.7]
        at org.apache.hive.service.cli.CLIService.init(CLIService.java:114) ~[hive-service-2.3.7.jar:2.3.7]
        at org.apache.hive.service.CompositeService.init(CompositeService.java:59) ~[hive-service-2.3.7.jar:2.3.7]
        at org.apache.hive.service.server.HiveServer2.init(HiveServer2.java:142) ~[hive-service-2.3.7.jar:2.3.7]
        at org.apache.hive.service.server.HiveServer2.startHiveServer2(HiveServer2.java:607) ~[hive-service-2.3.7.jar:2.3.7]
        at org.apache.hive.service.server.HiveServer2.access$700(HiveServer2.java:100) ~[hive-service-2.3.7.jar:2.3.7]
        at org.apache.hive.service.server.HiveServer2$StartOptionExecutor.execute(HiveServer2.java:855) ~[hive-service-2.3.7.jar:2.3.7]
        at org.apache.hive.service.server.HiveServer2.main(HiveServer2.java:724) ~[hive-service-2.3.7.jar:2.3.7]
        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) ~[?:1.8.0_191]
        at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) ~[?:1.8.0_191]
        at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) ~[?:1.8.0_191]
        at java.lang.reflect.Method.invoke(Method.java:498) ~[?:1.8.0_191]
        at org.apache.hadoop.util.RunJar.run(RunJar.java:234) ~[hadoop-common-2.8.4.jar:?]
        at org.apache.hadoop.util.RunJar.main(RunJar.java:148) ~[hadoop-common-2.8.4.jar:?]
Caused by: org.ietf.jgss.GSSException: No valid credentials provided (Mechanism level: Clock skew too great (37) - PROCESS_TGS)
        at sun.security.jgss.krb5.Krb5Context.initSecContext(Krb5Context.java:770) ~[?:1.8.0_191]
        at sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:248) ~[?:1.8.0_191]
        at sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:179) ~[?:1.8.0_191]
        at com.sun.security.sasl.gsskerb.GssKrb5Client.evaluateChallenge(GssKrb5Client.java:192) ~[?:1.8.0_191]
        ... 47 more
Caused by: sun.security.krb5.KrbException: Clock skew too great (37) - PROCESS_TGS
        at sun.security.krb5.KrbTgsRep.<init>(KrbTgsRep.java:73) ~[?:1.8.0_191]
        at sun.security.krb5.KrbTgsReq.getReply(KrbTgsReq.java:251) ~[?:1.8.0_191]
        at sun.security.krb5.KrbTgsReq.sendAndGetCreds(KrbTgsReq.java:262) ~[?:1.8.0_191]
        at sun.security.krb5.internal.CredentialsUtil.serviceCreds(CredentialsUtil.java:308) ~[?:1.8.0_191]
        at sun.security.krb5.internal.CredentialsUtil.acquireServiceCreds(CredentialsUtil.java:126) ~[?:1.8.0_191]
        at sun.security.krb5.Credentials.acquireServiceCreds(Credentials.java:458) ~[?:1.8.0_191]
        at sun.security.jgss.krb5.Krb5Context.initSecContext(Krb5Context.java:693) ~[?:1.8.0_191]
        at sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:248) ~[?:1.8.0_191]
        at sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:179) ~[?:1.8.0_191]
        at com.sun.security.sasl.gsskerb.GssKrb5Client.evaluateChallenge(GssKrb5Client.java:192) ~[?:1.8.0_191]
        ... 47 more
Caused by: sun.security.krb5.Asn1Exception: Identifier doesn't match expected value (906)
        at sun.security.krb5.internal.KDCRep.init(KDCRep.java:140) ~[?:1.8.0_191]
        at sun.security.krb5.internal.TGSRep.init(TGSRep.java:65) ~[?:1.8.0_191]
        at sun.security.krb5.internal.TGSRep.<init>(TGSRep.java:60) ~[?:1.8.0_191]
        at sun.security.krb5.KrbTgsRep.<init>(KrbTgsRep.java:55) ~[?:1.8.0_191]
        at sun.security.krb5.KrbTgsReq.getReply(KrbTgsReq.java:251) ~[?:1.8.0_191]
        at sun.security.krb5.KrbTgsReq.sendAndGetCreds(KrbTgsReq.java:262) ~[?:1.8.0_191]
        at sun.security.krb5.internal.CredentialsUtil.serviceCreds(CredentialsUtil.java:308) ~[?:1.8.0_191]

sun.security.krb5.KrbException: Clock skew too great (37) 具体原因是 两个服务节点时间相差太大导致的是用 date -s"" 设置时间正确就行 https://blog.csdn.net/wysghmbb/article/details/122219022

Java 客户端启动报此异常

在客户端端中已经执行了klist 是已经正常缓存了票据了

Caused by: org.ietf.jgss.GSSException: No valid credentials provided (Mechanism level: Failed to find any Kerberos tgt)
	at sun.security.jgss.krb5.Krb5InitCredential.getInstance(Krb5InitCredential.java:147)
	at sun.security.jgss.krb5.Krb5MechFactory.getCredentialElement(Krb5MechFactory.java:122)
	at sun.security.jgss.krb5.Krb5MechFactory.getMechanismContext(Krb5MechFactory.java:187)
	at sun.security.jgss.GSSManagerImpl.getMechanismContext(GSSManagerImpl.java:224)
	at sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:212)
	at sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:179)
	at com.sun.security.sasl.gsskerb.GssKrb5Client.evaluateChallenge(GssKrb5Client.java:192)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
3.8.0 enhancement New feature or request
Projects
None yet
Milestone
v3.8.0
Development

No branches or pull requests
2 participants
@baisui1981 @YuangZhang