Kerberos error while connection to cloudera impala environment

0
votes

While connection to kerberized hadoop environment error: [Simba]ImpalaJDBCDriver Unable to connect to server: [Simba]ImpalaJDBCDriver Kerberos Authentication failed.

I've installed cloudera quickstart vm in virtualbox, enabled kerberos, writing java code which connects to imapala db and getting Kerberos Authentication failed error. 

public static void main(String[] args) throws Exception {

        Configuration conf = new Configuration();
        conf.set("hadoop.security.authentication", "Kerberos");
        UserGroupInformation.setConfiguration(conf);
        UserGroupInformation ugi = UserGroupInformation
                .loginUserFromKeytabAndReturnUGI("hdfs/quickstart.cloudera@CLOUDERA", "hdfs.keytab");

        Class.forName("com.cloudera.impala.jdbc41.Driver");
        Connection conn = (Connection) ugi.doAs(new PrivilegedExceptionAction<Object>() {
            public Object run() {
                Connection tcon = null;
                try {
                    tcon = DriverManager.getConnection(
                            "jdbc:impala://quickstart.cloudera:21050;AuthMech=1;KrbHostFQDN=quickstart.cloudera;KrbRealm=CLOUDERA;KrbServiceName=hdfs");
                    System.out.println("Connected!");
                } catch (SQLException e) {
                    e.printStackTrace();
                }
                return tcon;
            }
        });

        Statement stmt = conn.createStatement();

        String sql = "show tables";
        System.out.println("Running: " + sql);
        ResultSet res = stmt.executeQuery(sql);
        while (res.next()) {
            System.out.println(res.getString(1));
        }
    }

I have enabled debug mode, exception which I am getting:


    ...
    Client Principal = hdfs/quickstart.cloudera@CLOUDERA
    Server Principal = hdfs/quickstart.cloudera@CLOUDERA
    Session Key = EncryptionKey: keyType=23 keyBytes (hex dump)=
    0000: 8A B3 79 07 A5 06 05 9F   CE 37 84 8A 15 2E 7E B5  ..y......7......


    Forwardable Ticket true
    Forwarded Ticket false
    Proxiable Ticket false
    Proxy Ticket false
    Postdated Ticket false
    Renewable Ticket false
    Initial Ticket false
    Auth Time = Sun Jun 23 11:52:03 PDT 2019
    Start Time = Sun Jun 23 11:52:03 PDT 2019
    End Time = Mon Jun 24 11:52:03 PDT 2019
    Renew Till = null
    Client Addresses  Null 
    >>> KrbApReq: APOptions are 00100000 00000000 00000000 00000000
    >>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
    Krb5Context setting mySeqNumber to: 925793988
    Created InitSecContextToken:
    0000: 01 00 6E 82 02 2E 30 82   02 2A A0 03 02 01 05 A1  ..n...0..*......

    0220: 4A 3E 74 0A 67 B6 5E 16   3B B8 1D FB 91 75 53 33  J>t.g.^.;....uS3
    0230: 76 5E 40 81                                        v^@.

    java.sql.SQLException: [Simba][ImpalaJDBCDriver](500164) Error initialized or created transport for authentication: [Simba][ImpalaJDBCDriver](500169) Unable to connect to server: [Simba][ImpalaJDBCDriver](500591) Kerberos Authentication failed..
        at com.cloudera.hivecommon.api.HiveServer2ClientFactory.createTransport(Unknown Source)
        at com.cloudera.hivecommon.api.HiveServer2ClientFactory.createClient(Unknown Source)
        at com.cloudera.hivecommon.core.HiveJDBCCommonConnection.establishConnection(Unknown Source)
        at com.cloudera.impala.core.ImpalaJDBCConnection.establishConnection(Unknown Source)
        at com.cloudera.jdbc.core.LoginTimeoutConnection.connect(Unknown Source)
        at com.cloudera.jdbc.common.BaseConnectionFactory.doConnect(Unknown Source)
        at com.cloudera.jdbc.common.AbstractDriver.connect(Unknown Source)
        at java.sql.DriverManager.getConnection(DriverManager.java:571)
        at java.sql.DriverManager.getConnection(DriverManager.java:233)
        at ImpalaJDBC$1.run(ImpalaJDBC.java:64)
        at java.security.AccessController.doPrivileged(Native Method)
        at javax.security.auth.Subject.doAs(Subject.java:415)
        at org.apache.hadoop.security.UserGroupInformation.doAs(UserGroupInformation.java:1917)
    Caused by: com.cloudera.support.exceptions.GeneralException: [Simba][ImpalaJDBCDriver](500164) Error initialized or created transport for authentication: [Simba][ImpalaJDBCDriver](500169) Unable to connect to server: [Simba][ImpalaJDBCDriver](500591) Kerberos Authentication failed..
        ... 13 more
    Caused by: java.lang.RuntimeException: [Simba][ImpalaJDBCDriver](500169) Unable to connect to server: [Simba][ImpalaJDBCDriver](500591) Kerberos Authentication failed.
        at com.cloudera.hivecommon.api.HiveServerPrivilegedAction.run(Unknown Source)
        at java.security.AccessController.doPrivileged(Native Method)
        at javax.security.auth.Subject.doAs(Subject.java:356)
        at com.cloudera.hivecommon.api.HiveServer2ClientFactory.createTransport(Unknown Source)
        at com.cloudera.hivecommon.api.HiveServer2ClientFactory.createClient(Unknown Source)
        at com.cloudera.hivecommon.core.HiveJDBCCommonConnection.establishConnection(Unknown Source)
        at com.cloudera.impala.core.ImpalaJDBCConnection.establishConnection(Unknown Source)
        at com.cloudera.jdbc.core.LoginTimeoutConnection.connect(Unknown Source)
        at com.cloudera.jdbc.common.BaseConnectionFactory.doConnect(Unknown Source)
        at com.cloudera.jdbc.common.AbstractDriver.connect(Unknown Source)
        at java.sql.DriverManager.getConnection(DriverManager.java:571)
        at java.sql.DriverManager.getConnection(DriverManager.java:233)
        at ImpalaJDBC$1.run(ImpalaJDBC.java:64)
        at java.security.AccessController.doPrivileged(Native Method)
        at javax.security.auth.Subject.doAs(Subject.java:415)
        at org.apache.hadoop.security.UserGroupInformation.doAs(UserGroupInformation.java:1917)
        at ImpalaJDBC.main(ImpalaJDBC.java:60)
    Caused by: org.apache.thrift.transport.TTransportException
        at org.apache.thrift.transport.TIOStreamTransport.read(TIOStreamTransport.java:132)
        at org.apache.thrift.transport.TTransport.readAll(TTransport.java:84)
        at org.apache.thrift.transport.TSaslTransport.receiveSaslMessage(TSaslTransport.java:178)
        at org.apache.thrift.transport.TSaslTransport.open(TSaslTransport.java:258)
        at org.apache.thrift.transport.TSaslClientTransport.open(TSaslClientTransport.java:37)
        ... 17 more
1
javahadoopkerberosclouderaimpala
What happens when you do "kinit -kt hdfs.keytab hdfs/quickstart.cloudera@CLOUDERA"? Do you get a valid ticket?facha
I think yes: [cloudera@quickstart ~]$ kinit -kt hdfs.keytab hdfs/quickstart.cloudera@CLOUDERA [cloudera@quickstart ~]$ klist Ticket cache: FILE:/tmp/krb5cc_501 Default principal: hdfs/quickstart.cloudera@CLOUDERA Valid starting Expires Service principal 06/23/19 16:09:01 06/24/19 16:09:01 krbtgt/CLOUDERA@CLOUDERA renew until 06/30/19 16:09:01Ivan Koshelia
I can see you are doing kinit inside your virtual machine. Are you running your code on the virtual machine as well? I'm asking because one would usually run it elsewhere (e.g. on the host machine inside IDE)facha
yes, I am running on virtual machine as wellIvan Koshelia
can it be the cause that i didn't enable kerberos for impala, but through jdbc driver i want to connect to impala? I just enabled kerberos on cloudera manager but not for impalaIvan Koshelia

1 Answers

0
votes

After the Impala restart, my web project encountered the same problem. Set the connection pool to release all connections when it is idle, and let the next query re apply for connection. At this time, this problem will not occur.