oozie-hive beeline无法与kerberos一起使用
[英]oozie-hive beeline not working with kerberos
问题描述
We have recently migrated from our old HDP cluster(without kerberos) to new HDP cluster(having kerberos). 
我们最近已从旧的HDP集群(无kerberos)迁移到新的HDP集群(有kerberos)。 We are facing some authentication issues while running our ozzie jobs on new clutser. 在新的clutser上运行ozzie作业时,我们面临一些身份验证问题。 Please refer to workflow.xml below. 请参考下面的workflow.xml。 The first action 'hive-101' works fine, however the second action hive-102 fails. 第一个动作“ hive-101”工作正常,但是第二个动作“ hive-102”失败。
<credentials>
<credential name="hs2-creds" type="hive2">
<property>
<name>hive2.server.principal</name>
<value>${jdbcPrincipal}</value>
</property>
<property>
<name>hive2.jdbc.url</name>
<value>${jdbcURL}</value>
</property>
</credential>
</credentials>
<start to="hive-101"/>
<action name="hive-101" cred="hs2-creds">
<hive2 xmlns="uri:oozie:hive2-action:0.2">
<jdbc-url>${jdbcURL}</jdbc-url>
<password>${hivepassword}</password>
<query>SELECT count(*) FROM table1;</query>
</hive2>
<ok to="hive-102"/>
<error to="fail"/>
</action>
<action name="hive-102" retry-max="${maxretry}" retry-interval="${retryinterval}">
<shell xmlns="uri:oozie:shell-action:0.3">
<exec>beeline</exec>
<argument>jdbc:hive2://zk01.abc.com:2181,zk02.abc.com:2181,zk03.abc.com:2181/${hivedatabase};principal=hive/_HOST@ABC.COM;serviceDiscoveryMode=zooKeeper;zooKeeperNamespace=hiveserver2</argument>
<argument>--outputformat=vertical</argument>
<argument>--silent=true</argument>
<argument>-e</argument>
<argument>
SELECT max(id) as mx_id FROM ${hivedatabase}.table1;
</argument>
<capture-output/>
</shell>
<ok to="end"/>
<error to="fail"/>
</action>
Below are the error details 下面是错误的详细信息
ERROR transport.TSaslTransport: SASL negotiation failure
javax.security.sasl.SaslException: GSS initiate failed
at com.sun.security.sasl.gsskerb.GssKrb5Client.evaluateChallenge(GssKrb5Client.java:211) ~[?:1.8.0_212]
Caused by: org.ietf.jgss.GSSException: No valid credentials provided (Mechanism level: Failed to find any Kerberos tgt)
at sun.security.jgss.krb5.Krb5InitCredential.getInstance(Krb5InitCredential.java:147) ~[?:1.8.0_212]
at sun.security.jgss.krb5.Krb5MechFactory.getCredentialElement(Krb5MechFactory.java:122) ~[?:1.8.0_212]
WARN jdbc.HiveConnection: Failed to connect to nn02.abc.com:10000
WARN jdbc.HiveConnection: Could not open client transport with JDBC Uri: jdbc:hive2://nn02.abc.com:10000/db_test;principal=hive/_HOST@ABC.COM;serviceDiscoveryMode=zooKeeper;zooKeeperNamespace=hiveserver2: GSS initiate failed Retrying 0 of 1
ERROR transport.TSaslTransport: SASL negotiation failure
javax.security.sasl.SaslException: GSS initiate failed
at com.sun.security.sasl.gsskerb.GssKrb5Client.evaluateChallenge(GssKrb5Client.java:211) ~[?:1.8.0_212]
Caused by: org.ietf.jgss.GSSException: No valid credentials provided (Mechanism level: Failed to find any Kerberos tgt)
at sun.security.jgss.krb5.Krb5InitCredential.getInstance(Krb5InitCredential.java:147) ~[?:1.8.0_212]
1 个解决方案
解决方案1
0 2019-08-09 18:12:58
The shell action will run on an arbitrary data node as the Unix user who started the Oozie workflow. shell操作将以启动Oozie工作流程的Unix用户的身份在任意数据节点上运行。 That user who tries to run the shell command won't be automatically authenticated with Kerberos. 尝试运行shell命令的用户不会自动通过Kerberos进行身份验证。
I believe you will have to place a Kerberos keytab for the user on each data node. 我相信您必须在每个数据节点上为用户放置一个Kerberos密钥表。 Then your Oozie shell action will need to run a script that runs a kinit using the keytab and then runs the beeline command. 然后,您的Oozie shell操作将需要运行一个脚本,该脚本使用keytab运行kinit,然后运行beeline命令。
From Apache Oozie by Mohammad Kamrul Islam and Aravind Srinivasan 来自Mohammad Kamrul Islam和Aravind Srinivasan的Apache Oozie
On a nonsecure Hadoop cluster, the shell command will execute as the Unix user who runs the TaskTracker (Hadoop 1) or the YARN container (Hadoop 2).
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.