Hive DbVisualizer使用kerberos身份验证连接到配置单元时出错
我正在尝试使用DBVisulizer连接到hive。我正在关注下面提到的文章 下面是我的配置文件Hive DbVisualizer使用kerberos身份验证连接到配置单元时出错,hive,kerberos,dbvisualizer,Hive,Kerberos,Dbvisualizer,我正在尝试使用DBVisulizer连接到hive。我正在关注下面提到的文章 下面是我的配置文件 [libdefaults] renew_lifetime = 7d forwardable = true default_realm = dev.abc.com ticket_lifetime = 24h dns_lookup_realm = false dns_lookup_kdc = false default_ccache_name = /tmp/krb5cc_%
[libdefaults]
renew_lifetime = 7d
forwardable = true
default_realm = dev.abc.com
ticket_lifetime = 24h
dns_lookup_realm = false
dns_lookup_kdc = false
default_ccache_name = /tmp/krb5cc_%{uid}
#default_tgs_enctypes = aes des3-cbc-sha1 rc4 des-cbc-md5
#default_tkt_enctypes = aes des3-cbc-sha1 rc4 des-cbc-md5
[logging]
default = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
kdc = FILE:/var/log/krb5kdc.log
[realms]
dev.abc.com = {
admin_server = wplc-dc1.dev.abc.com
kdc = wplc-dc1.dev.abc.com
}
我已将此配置文件的路径置于DbVisalizer设置中
我正在使用以下url
jdbc:hive2://d9lcwphd1m1.dev.abc.com:2181,d9lcwphd1m2.dev.abc.com:2181,d9lcwphd1d1.dev.abc.com:2181/;serviceDiscoveryMode=zooKeeper;zooKeeperNamespace=hiveserver2;principal=hive/_HOST@dev.abc.com
错误:
Java.sql.SQLException: Could not open client transport for any of the Server URI's in ZooKeeper: GSS initiate failed
at org.apache.hive.jdbc.HiveConnection.openTransport(HiveConnection.java:228)
at org.apache.hive.jdbc.HiveConnection.<init>(HiveConnection.java:166)
at org.apache.hive.jdbc.HiveDriver.connect(HiveDriver.java:105)
at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
at java.base/java.lang.reflect.Method.invoke(Unknown Source)
at com.onseven.dbvis.g.B.D.ᅣチ(Z:1548)
at com.onseven.dbvis.g.B.F$A.call(Z:1369)
at java.base/java.util.concurrent.FutureTask.run(Unknown Source)
at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source)
at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)
at java.base/java.lang.Thread.run(Unknown Source)
Caused by: org.apache.thrift.transport.TTransportException: GSS initiate failed
at org.apache.thrift.transport.TSaslTransport.sendAndThrowMessage(TSaslTransport.java:232)
at org.apache.thrift.transport.TSaslTransport.open(TSaslTransport.java:316)
at org.apache.thrift.transport.TSaslClientTransport.open(TSaslClientTransport.java:37)
at org.apache.hadoop.hive.thrift.client.TUGIAssumingTransport$1.run(TUGIAssumingTransport.java:52)
at org.apache.hadoop.hive.thrift.client.TUGIAssumingTransport$1.run(TUGIAssumingTransport.java:49)
at java.base/java.security.AccessController.doPrivileged(Native Method)
at java.base/javax.security.auth.Subject.doAs(Unknown Source)
at org.apache.hadoop.security.UserGroupInformation.doAs(UserGroupInformation.java:1866)
at org.apache.hadoop.hive.thrift.client.TUGIAssumingTransport.open(TUGIAssumingTransport.java:49)
at org.apache.hive.jdbc.HiveConnection.openTransport(HiveConnection.java:204)
更新:
Java.sql.SQLException: Could not open client transport for any of the Server URI's in ZooKeeper: GSS initiate failed
at org.apache.hive.jdbc.HiveConnection.openTransport(HiveConnection.java:228)
at org.apache.hive.jdbc.HiveConnection.<init>(HiveConnection.java:166)
at org.apache.hive.jdbc.HiveDriver.connect(HiveDriver.java:105)
at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
at java.base/java.lang.reflect.Method.invoke(Unknown Source)
at com.onseven.dbvis.g.B.D.ᅣチ(Z:1548)
at com.onseven.dbvis.g.B.F$A.call(Z:1369)
at java.base/java.util.concurrent.FutureTask.run(Unknown Source)
at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source)
at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)
at java.base/java.lang.Thread.run(Unknown Source)
Caused by: org.apache.thrift.transport.TTransportException: GSS initiate failed
at org.apache.thrift.transport.TSaslTransport.sendAndThrowMessage(TSaslTransport.java:232)
at org.apache.thrift.transport.TSaslTransport.open(TSaslTransport.java:316)
at org.apache.thrift.transport.TSaslClientTransport.open(TSaslClientTransport.java:37)
at org.apache.hadoop.hive.thrift.client.TUGIAssumingTransport$1.run(TUGIAssumingTransport.java:52)
at org.apache.hadoop.hive.thrift.client.TUGIAssumingTransport$1.run(TUGIAssumingTransport.java:49)
at java.base/java.security.AccessController.doPrivileged(Native Method)
at java.base/javax.security.auth.Subject.doAs(Unknown Source)
at org.apache.hadoop.security.UserGroupInformation.doAs(UserGroupInformation.java:1866)
at org.apache.hadoop.hive.thrift.client.TUGIAssumingTransport.open(TUGIAssumingTransport.java:49)
at org.apache.hive.jdbc.HiveConnection.openTransport(HiveConnection.java:204)
如果我在配置文件中同时提供了这两个领域,我将得到解析错误
配置
abc.com = {
admin_server = wpcp-dc1.abc.com
kdc = wpcp-dc1.abc.com:88
kdc = wpcp-dc2.abc.com:88
}
dev.abc.com = {
admin_server = wplc-dc1.dev.abc.com
kdc = wplc-dc1.dev.abc.com
}
错误:
Long Message:
Can't get Kerberos realm
Details:
Type: java.lang.IllegalArgumentException
Stack Trace:
KrbException: Illegal config content: }
at java.security.jgss/sun.security.krb5.Config.parseStanzaTable(Unknown Source)
at java.security.jgss/sun.security.krb5.Config.<init>(Unknown Source)
at java.security.jgss/sun.security.krb5.Config.getInstance(Unknown Source)
长消息:
无法获取Kerberos域
细节:
类型:java.lang.IllegalArgumentException
堆栈跟踪:
KrbeException:非法配置内容:}
位于java.security.jgss/sun.security.krb5.Config.parseStanzaTable(未知源代码)
位于java.security.jgss/sun.security.krb5.Config。(未知源)
位于java.security.jgss/sun.security.krb5.Config.getInstance(未知源)
My 2 cents:Kerberos-auth-to-ZK是一场噩梦。如果你不相信我,那就读一下Steve Loughran写的GitBook“Hadoop和Kerberos,门外的疯狂”。尝试使用基本的URL语法直接命中正在运行的HS2实例,这将使Kerberos调试方式更容易。如果您的用户和目标服务不在同一个Kerberos领域,那么您必须在krb5.conf
中定义这两者;加上定义如何从用户领域“跳跃”到服务领域的规则(可以是隐式的,即转到公共祖先领域——也可以定义该领域!——或者通过[capath]
条目进行解释);加上将主机名或(子)网络附加到域的规则。更详细的跨域:请参见>>另外,关于“您应该启用Kerberos调试跟踪”的部分可能会有所帮助,因为默认情况下JAAS库会让您蒙在鼓里。@SamsonScharfrichter感谢您的评论,但是我无法理解这两件事。如果我在配置文件中提到了这两个领域,那么我就得到了解析错误。我已经更新了问题。