Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

some problems to access to hiveserver2 without kinit #190

Open
nice-journey opened this issue Jun 4, 2022 · 2 comments
Open

some problems to access to hiveserver2 without kinit #190

nice-journey opened this issue Jun 4, 2022 · 2 comments

Comments

@nice-journey
Copy link

nice-journey commented Jun 4, 2022
edited
Loading

Hi beltran,
Recently I want to operate cdh hiveserver2, which requires kerberos authentication.

With the kinit command help, I can connect to hiveserver2 using gohive successfully.

However, I want to communicate with hs2 all with codes without running kinit, so I spend a lot of time to learn about kerberos and the gokrb5 repo, https://github.com/jcmturner/gokrb5.

The following is my code example:
https://gist.github.com/nice-journey/40148566b92e894a16cb28aa682a2740

The main idea of the previous code includes three standard krb auth steps:

  • access to AS server of kdc
  • access to TGS server of kdc
  • access to hs2 server using the token from TGS responsed.

But the hs2 throw error log as the following:
2022-06-04 01:07:16,919 DEBUG org.apache.thrift.transport.TSaslServerTransport: [HiveServer2-Handler-Pool: Thread-43]: transport map does not contain key 2022-06-04 01:07:16,919 DEBUG org.apache.thrift.transport.TSaslTransport: [HiveServer2-Handler-Pool: Thread-43]: opening transport org.apache.thrift.transport.TSaslServerTransport@5839534b 2022-06-04 01:07:16,923 DEBUG org.apache.thrift.transport.TSaslTransport: [HiveServer2-Handler-Pool: Thread-43]: SERVER: Writing message with status ERROR and payload length 17 2022-06-04 01:07:16,923 DEBUG org.apache.thrift.transport.TSaslServerTransport: [HiveServer2-Handler-Pool: Thread-43]: failed to open server transport org.apache.thrift.transport.TTransportException: Invalid status 96 at org.apache.thrift.transport.TSaslTransport.sendAndThrowMessage(TSaslTransport.java:232) at org.apache.thrift.transport.TSaslTransport.receiveSaslMessage(TSaslTransport.java:184) at org.apache.thrift.transport.TSaslServerTransport.handleSaslStartMessage(TSaslServerTransport.java:125) at org.apache.thrift.transport.TSaslTransport.open(TSaslTransport.java:271) at ...............

The error log indicates the header of message is not correct.

After some research I found the fact that the hs2 authentication is not fully krb mode, and it is gssapi mode. The krb is just one achievement of GSS API, so hs2 throw error of wrong header.

And I also found that the krb server does not output any log when I use gohive to operate hive. Can it prove the fact that auth progress of hive has nothing to do with kerberos server? So my attempt in the gist code maybe totally wrong?

Could you give some advices to communicate with hs2 without kinit and totally with codes? which is similar to the UserGroupInformation package of java. It read keytab file and krb config to communicate to hs2 server, and it does not need to run kinit previously.

Sorry I'm only skilled in cpp/go/python and not skilled in java.

Thanks!
@nice-journey
Copy link
Author

Sorry, I have another confusion.
We need run kinit firstly and then run gohive codes. I know that the krb cache will be created after kinit command. What's the relationship between krb cache、gssapi and gohive.
Does the underlaying cgo gssapi library read the krb cache to negotiate with hs2 server?

@meoww-bot
Copy link

hello, have u work out the solution to access to HS2 by using jcmturner/gokrb5?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@nice-journey @meoww-bot