• Hive-命令行CDH访问开启kerberos的hive

    1.通过hive用户访问

    切换用户为hive

    [root@slave conf]# su - hive
上一次登录:五 4月 12 13:59:19 CST 2019pts/1 上
[hive@slave ~]$

    • 1
    • 2
    • 3

    命令行直接输入hive就可以进入hive

    [hive@slave ~]$ hive
log4j:WARN No such property [maxFileSize] in org.apache.log4j.DailyRollingFileAppender.

Logging initialized using configuration in file:/etc/hive/2.6.5.0-292/0/hive-log4j.properties
hive>

    • 1
    • 2
    • 3
    • 4
    • 5

    2.其他用户访问hive

    其他用户为授权访问hive会出现以下问题

    java.io.IOException: Failed on local exception: java.io.IOException: javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level: Failed to find any Kerberos tgt)]; Host Details : local host is: "kjss1.example.com/172.26.69.237"; destination host is: "kjss2.example.com":8020; 
    at org.apache.hadoop.net.NetUtils.wrapException(NetUtils.java:782)
    at org.apache.hadoop.ipc.Client.getRpcResponse(Client.java:1556)
    at org.apache.hadoop.ipc.Client.call(Client.java:1496)
    at org.apache.hadoop.ipc.Client.call(Client.java:1396)
    at org.apache.hadoop.ipc.ProtobufRpcEngine$Invoker.invoke(ProtobufRpcEngine.java:233)
    at com.sun.proxy.$Proxy8.getGroupsForUser(Unknown Source)
    at org.apache.hadoop.tools.protocolPB.GetUserMappingsProtocolClientSideTranslatorPB.getGroupsForUser(GetUserMappingsProtocolClientSideTranslatorPB.java:57)
    at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
    at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
    at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
    at java.lang.reflect.Method.invoke(Method.java:497)
    at org.apache.hadoop.io.retry.RetryInvocationHandler.invokeMethod(RetryInvocationHandler.java:278)
    at org.apache.hadoop.io.retry.RetryInvocationHandler.invoke(RetryInvocationHandler.java:194)
    at org.apache.hadoop.io.retry.RetryInvocationHandler.invoke(RetryInvocationHandler.java:176)
    at com.sun.proxy.$Proxy9.getGroupsForUser(Unknown Source)
    at org.apache.hadoop.tools.GetGroupsBase.run(GetGroupsBase.java:71)
    at org.apache.hadoop.util.ToolRunner.run(ToolRunner.java:76)
    at org.apache.hadoop.util.ToolRunner.run(ToolRunner.java:90)
    at org.apache.hadoop.hdfs.tools.GetGroups.main(GetGroups.java:96)
Caused by: java.io.IOException: javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level: Failed to find any Kerberos tgt)]
    at org.apache.hadoop.ipc.Client$Connection$1.run(Client.java:720)
    at java.security.AccessController.doPrivileged(Native Method)
    at javax.security.auth.Subject.doAs(Subject.java:422)
    at org.apache.hadoop.security.UserGroupInformation.doAs(UserGroupInformation.java:1724)
    at org.apache.hadoop.ipc.Client$Connection.handleSaslConnectionFailure(Client.java:683)
    at org.apache.hadoop.ipc.Client$Connection.setupIOstreams(Client.java:770)
    at org.apache.hadoop.ipc.Client$Connection.access$3200(Client.java:397)
    at org.apache.hadoop.ipc.Client.getConnection(Client.java:1618)
    at org.apache.hadoop.ipc.Client.call(Client.java:1449)
    ... 16 more
Caused by: javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level: Failed to find any Kerberos tgt)]
    at com.sun.security.sasl.gsskerb.GssKrb5Client.evaluateChallenge(GssKrb5Client.java:211)
    at org.apache.hadoop.security.SaslRpcClient.saslConnect(SaslRpcClient.java:413)
    at org.apache.hadoop.ipc.Client$Connection.setupSaslConnection(Client.java:595)
    at org.apache.hadoop.ipc.Client$Connection.access$2000(Client.java:397)
    at org.apache.hadoop.ipc.Client$Connection$2.run(Client.java:762)
    at org.apache.hadoop.ipc.Client$Connection$2.run(Client.java:758)
    at java.security.AccessController.doPrivileged(Native Method)
    at javax.security.auth.Subject.doAs(Subject.java:422)
    at org.apache.hadoop.security.UserGroupInformation.doAs(UserGroupInformation.java:1724)
    at org.apache.hadoop.ipc.Client$Connection.setupIOstreams(Client.java:757)
    ... 19 more
Caused by: GSSException: No valid credentials provided (Mechanism level: Failed to find any Kerberos tgt)
    at sun.security.jgss.krb5.Krb5InitCredential.getInstance(Krb5InitCredential.java:147)
    at sun.security.jgss.krb5.Krb5MechFactory.getCredentialElement(Krb5MechFactory.java:122)
    at sun.security.jgss.krb5.Krb5MechFactory.getMechanismContext(Krb5MechFactory.java:187)
    at sun.security.jgss.GSSManagerImpl.getMechanismContext(GSSManagerImpl.java:224)
    at sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:212)
    at sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:179)
    at com.sun.security.sasl.gsskerb.GssKrb5Client.evaluateChallenge(GssKrb5Client.java:192)
    ... 28 more

    • 1
    • 2
    • 3
    • 4
    • 5
    • 6
    • 7
    • 8
    • 9
    • 10
    • 11
    • 12
    • 13
    • 14
    • 15
    • 16
    • 17
    • 18
    • 19
    • 20
    • 21
    • 22
    • 23
    • 24
    • 25
    • 26
    • 27
    • 28
    • 29
    • 30
    • 31
    • 32
    • 33
    • 34
    • 35
    • 36
    • 37
    • 38
    • 39
    • 40
    • 41
    • 42
    • 43
    • 44
    • 45
    • 46
    • 47
    • 48
    • 49
    • 50
    • 51
    • 52

    查看该用户是否有kerberos 凭证

    [root@slave conf]# su - nifi
上一次登录:三 4月  3 17:32:05 CST 2019pts/0 上
[nifi@slave ~]$ klist
klist: No credentials cache found (filename: /tmp/krb5cc_996)
[nifi@slave ~]$

    • 1
    • 2
    • 3
    • 4
    • 5

    如果没有看到有效的凭证,执行如下命令。/etc/security/keytabs/hive.service.keytab为hive kerberos文件

    [nifi@slave ~]$ klist -kte /etc/security/keytabs/hive.service.keytab
Keytab name: FILE:/etc/security/keytabs/hive.service.keytab
KVNO Timestamp           Principal
---- ------------------- ------------------------------------------------------
   1 2019-04-11T17:02:35 hive/slave.hdp193.com@EXAMPLE.COM (des3-cbc-sha1)
   1 2019-04-11T17:02:35 hive/slave.hdp193.com@EXAMPLE.COM (arcfour-hmac)
   1 2019-04-11T17:02:35 hive/slave.hdp193.com@EXAMPLE.COM (des-cbc-md5)
   1 2019-04-11T17:02:35 hive/slave.hdp193.com@EXAMPLE.COM (aes128-cts-hmac-sha1-96)
   1 2019-04-11T17:02:35 hive/slave.hdp193.com@EXAMPLE.COM (aes256-cts-hmac-sha1-96)
[nifi@slave ~]$

    • 1
    • 2
    • 3
    • 4
    • 5
    • 6
    • 7
    • 8
    • 9
    • 10

    执行后就可以在该用户下执行kinit。

    # 验证用户是否可以从keytab文件登录:
[nifi@slave ~]$ kinit -kt /etc/security/keytabs/hive.service.keytab hive/slave.hdp193.com@EXAMPLE.COM
# 查看有效的凭证
[nifi@slave ~]$ klist
Ticket cache: FILE:/tmp/krb5cc_996
Default principal: hive/slave.hdp193.com@EXAMPLE.COM

Valid starting       Expires              Service principal
2019-04-12T14:36:32  2019-04-13T14:36:32  krbtgt/EXAMPLE.COM@EXAMPLE.COM
[nifi@slave ~]$

    • 1
    • 2
    • 3
    • 4
    • 5
    • 6
    • 7
    • 8
    • 9
    • 10

    在该用户下执行hive即可进入hive命令界面

  • 相关阅读:
    学生党和SLAMer都可用的工具网站推荐
    jenkins配置及实现接口自动化集成
    Oracle之SQL plus的一些经验心得
    R语言最优聚类数目k改进kmean聚类算法
    计算机网络4小时速成:应用层,cs模型,p2p模型,DNS域名系统,文件传输协议FTP,电子邮件SMTP,万维网HTTP,动态主机配置协议DHCP
    A. Add Odd or Subtract Even
    C++11『右值引用 ‖ 完美转发 ‖ 新增类功能 ‖ 可变参数模板』
    基于ConstraintLayout的增强布局,专注于过渡动画实现的动画框架:MotionLayout
    服务器防火墙的应用技术有哪些
    Dockerfile自定义镜像、CentOS安装DockerCompose及Docker镜像仓库
  • 原文地址:https://blog.csdn.net/qq_37279783/article/details/133351502