tis
tis copied to clipboard
Published
20 hours ago •
datavane
datavane
[SUPPORT] 希望连接hdfs和hive等组件支持kerberos认证
当服务端开启kerberos认证之后,客户端如果没有提交kerberos认证需要的相关信息,会报以下错误
Caused by: java.lang.RuntimeException: link faild:hdfs://xxxxx:8020/
at com.qlangtech.tis.hdfs.impl.HdfsFileSystemFactory$HdfsUtils.getFileSystem(HdfsFileSystemFactory.java:231)
at com.qlangtech.tis.hdfs.impl.HdfsFileSystemFactory.getFileSystem(HdfsFileSystemFactory.java:93)
at com.qlangtech.tis.plugin.datax.hudi.DataXHudiWriter.getFileSystem(DataXHudiWriter.java:95)
at com.qlangtech.tis.plugins.incr.flink.connector.hudi.streamscript.StreamAPIStyleFlinkStreamScriptCreator$HudiStreamTemplateData.createStreamerConfig(StreamAPIStyleFlinkStreamScriptCreator.java:99)
at com.qlangtech.tis.plugins.incr.flink.connector.hudi.streamscript.StreamAPIStyleFlinkStreamScriptCreator$HudiStreamTemplateData.getFlinkStreamerConfig(StreamAPIStyleFlinkStreamScriptCreator.java:85)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at org.apache.velocity.util.introspection.UberspectImpl$VelMethodImpl.doInvoke(UberspectImpl.java:571)
at org.apache.velocity.util.introspection.UberspectImpl$VelMethodImpl.invoke(UberspectImpl.java:554)
at org.apache.velocity.runtime.parser.node.ASTMethod.execute(ASTMethod.java:221)
... 203 more
Caused by: java.lang.RuntimeException: path:/
at com.qlangtech.tis.hdfs.impl.HdfsFileSystemFactory$HdfsUtils$1.listStatus(HdfsFileSystemFactory.java:215)
at com.qlangtech.tis.hdfs.impl.HdfsFileSystemFactory$HdfsUtils.getFileSystem(HdfsFileSystemFactory.java:225)
... 214 more
Caused by: org.apache.hadoop.security.AccessControlException: SIMPLE authentication is not enabled. Available:[TOKEN, KERBEROS]
at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62)
at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
at java.lang.reflect.Constructor.newInstance(Constructor.java:423)
at org.apache.hadoop.ipc.RemoteException.instantiateException(RemoteException.java:106)
at org.apache.hadoop.ipc.RemoteException.unwrapRemoteException(RemoteException.java:73)
at org.apache.hadoop.hdfs.DFSClient.listPaths(DFSClient.java:2088)
at org.apache.hadoop.hdfs.DFSClient.listPaths(DFSClient.java:2069)
at org.apache.hadoop.hdfs.DistributedFileSystem.listStatusInternal(DistributedFileSystem.java:791)
at org.apache.hadoop.hdfs.DistributedFileSystem.access$700(DistributedFileSystem.java:106)
at org.apache.hadoop.hdfs.DistributedFileSystem$18.doCall(DistributedFileSystem.java:853)
参照:https://github.com/alibaba/DataX/blob/6c3fb66711bb606c6f5ca7d59ee5e5b705def6ec/hdfswriter/src/main/java/com/alibaba/datax/plugin/writer/hdfswriter/HdfsHelper.java#L92
hive 启动发现 10000端口没有打开,查看 hive.log 发现以下异常信息
2023-07-17T11:12:09,975 INFO [main] thrift.TokenStoreDelegationTokenSecretManager: New master key with key id=0
2023-07-17T11:12:09,976 INFO [Thread[Thread-7,5,main]] thrift.TokenStoreDelegationTokenSecretManager: Starting expired delegation token remover thread, tokenRemoverScanInterval=60 min(s)
2023-07-17T11:12:09,977 INFO [Thread[Thread-7,5,main]] delegation.AbstractDelegationTokenSecretManager: Updating the current master key for generating delegation tokens
2023-07-17T11:12:09,977 INFO [Thread[Thread-7,5,main]] thrift.TokenStoreDelegationTokenSecretManager: New master key with key id=1
2023-07-17T11:12:09,979 ERROR [main] metastore.HiveMetaStore: org.apache.thrift.transport.TTransportException: Kerberos principal should have 3 parts: hadoop
at org.apache.hadoop.hive.thrift.HadoopThriftAuthBridge$Server.createSaslServerTransportFactory(HadoopThriftAuthBridge.java:364)
>>> 奇怪这里明明在调用hiveMetaStore 却调用到hadoop上的api上去了
--->at org.apache.hadoop.hive.thrift.HadoopThriftAuthBridge$Server.createTransportFactory(HadoopThriftAuthBridge.java:347)
--->at org.apache.hadoop.hive.metastore.HiveMetaStore.startMetaStore(HiveMetaStore.java:7165)
at org.apache.hadoop.hive.metastore.HiveMetaStore.main(HiveMetaStore.java:7076)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at org.apache.hadoop.util.RunJar.run(RunJar.java:234)
at org.apache.hadoop.util.RunJar.main(RunJar.java:148)
2023-07-17T11:12:09,979 ERROR [main] metastore.HiveMetaStore: Metastore Thrift Server threw an exception...
org.apache.thrift.transport.TTransportException: Kerberos principal should have 3 parts: hadoop
at org.apache.hadoop.hive.thrift.HadoopThriftAuthBridge$Server.createSaslServerTransportFactory(HadoopThriftAuthBridge.java:364) ~[hive-exec-2.3.7.jar:2.3.7]
at org.apache.hadoop.hive.thrift.HadoopThriftAuthBridge$Server.createTransportFactory(HadoopThriftAuthBridge.java:347) ~[hive-exec-2.3.7.jar:2.3.7]
at org.apache.hadoop.hive.metastore.HiveMetaStore.startMetaStore(HiveMetaStore.java:7165) ~[hive-exec-2.3.7.jar:2.3.7]
at org.apache.hadoop.hive.metastore.HiveMetaStore.main(HiveMetaStore.java:7076) [hive-exec-2.3.7.jar:2.3.7]
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) ~[?:1.8.0_191]
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) ~[?:1.8.0_191]
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) ~[?:1.8.0_191]
at java.lang.reflect.Method.invoke(Method.java:498) ~[?:1.8.0_191]
at org.apache.hadoop.util.RunJar.run(RunJar.java:234) [hadoop-common-2.8.4.jar:?]
at org.apache.hadoop.util.RunJar.main(RunJar.java:148) [hadoop-common-2.8.4.jar:?]
2023-07-17T11:12:10,096 INFO [pool-2-thread-1] metastore.HiveMetaStore: Shutting down hive metastore.
2023-07-17T11:12:10,096 INFO [pool-2-thread-1] metastore.HiveMetaStore: SHUTDOWN_MSG:
/************************************************************
SHUTDOWN_MSG: Shutting down HiveMetaStore at baisui-test-1/192.168.28.200
查看UserGroupinfoinformation 中 commit方法:
/opt/app/hadoop/etc/hadoop/core-site.xml 添加配置
<?xml version="1.0" encoding="UTF-8"?>
<?xml-stylesheet type="text/xsl" href="configuration.xsl"?>
<configuration>
<property>
<name>hadoop.security.authorization</name>
<value>true</value>
</property>
<property>
<name>hadoop.security.authentication</name>
<value>kerberos</value>
</property>
</configuration>
再次重启之后发现以下异常,
Caused by: java.io.IOException: Login failure for tis/[email protected] from keytab /opt/app/hive/conf/tis.keytab: javax.security.auth.login.LoginException: Unable to obtain password from user
>>>>
发现 使用 YarnConfiguration.NM_PRINCIPAL
https://github.com/apache/hadoop/blob/c44823dadb73a3033f515329f70b2e3126fcb7be/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/java/org/apache/hadoop/yarn/server/nodemanager/NodeManager.java#L297C3-L300C4
protected void doSecureLogin() throws IOException {
SecurityUtil.login(getConfig(), YarnConfiguration.NM_KEYTAB,
YarnConfiguration.NM_PRINCIPAL);
}
<<<<
at org.apache.hadoop.security.UserGroupInformation.loginUserFromKeytab(UserGroupInformation.java:1062) ~[hadoop-common-2.8.4.jar:?]
at org.apache.hive.service.auth.HiveAuthFactory.loginFromKeytab(HiveAuthFactory.java:236) ~[hive-service-2.3.7.jar:2.3.7]
at org.apache.hive.service.cli.CLIService.init(CLIService.java:89) ~[hive-service-2.3.7.jar:2.3.7]
... 12 more
Caused by: javax.security.auth.login.LoginException: Unable to obtain password from user
at com.sun.security.auth.module.Krb5LoginModule.promptForPass(Krb5LoginModule.java:897) ~[?:1.8.0_191]
at com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:760) ~[?:1.8.0_191]
at com.sun.security.auth.module.Krb5LoginModule.login(Krb5LoginModule.java:617) ~[?:1.8.0_191]
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) ~[?:1.8.0_191]
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) ~[?:1.8.0_191]
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) ~[?:1.8.0_191]
at java.lang.reflect.Method.invoke(Method.java:498) ~[?:1.8.0_191]
at javax.security.auth.login.LoginContext.invoke(LoginContext.java:755) ~[?:1.8.0_191]
at javax.security.auth.login.LoginContext.access$000(LoginContext.java:195) ~[?:1.8.0_191]
at javax.security.auth.login.LoginContext$4.run(LoginContext.java:682) ~[?:1.8.0_191]
at javax.security.auth.login.LoginContext$4.run(LoginContext.java:680) ~[?:1.8.0_191]
at java.security.AccessController.doPrivileged(Native Method) ~[?:1.8.0_191]
at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:680) ~[?:1.8.0_191]
at javax.security.auth.login.LoginContext.login(LoginContext.java:587) ~[?:1.8.0_191]
at org.apache.hadoop.security.UserGroupInformation.loginUserFromKeytab(UserGroupInformation.java:1053) ~[hadoop-common-2.8.4.jar:?]
at org.apache.hive.service.auth.HiveAuthFactory.loginFromKeytab(HiveAuthFactory.java:236) ~[hive-service-2.3.7.jar:2.3.7]
at org.apache.hive.service.cli.CLIService.init(CLIService.java:89) ~[hive-service-2.3.7.jar:2.3.7]
... 12 more
通过关键词提示,找到文章:https://knowledge.informatica.com/s/article/521829?language=en_US 使用命令: kinit -V -k -t /opt/app/hive/conf/tis.keytab [email protected]
由于hadoop 启动试用非root账户启动的,需要执行 chmod 777 /opt/app/hive/conf/tis.keytab 保证账户有读权限
返回:
Using default cache: persistent:0:0
Using principal: [email protected]
Using keytab: /opt/app/hive/conf/tis.keytab
kinit: Keytab contains no suitable keys for [email protected] while getting initial credentials
说明无法从KDC中获得凭证
经过调试发现是本地 /etc/krb5.conf 配置[realms.EXAMPLE.COM]修改即可
kinit -V -k -t /opt/app/hive/conf/tis.keytab tis/[email protected]
Using default cache: persistent:0:0
Using principal: tis/[email protected]
Using keytab: /opt/app/hive/conf/tis.keytab
Authenticated to Kerberos v5
再重启之后,发现hadoop 启动日志中有以下异常:
2023-07-17 15:23:09,296 FATAL org.apache.hadoop.yarn.server.resourcemanager.ResourceManager: Error starting ResourceManager
org.apache.hadoop.yarn.exceptions.YarnRuntimeException: Failed to login
at org.apache.hadoop.yarn.server.resourcemanager.ResourceManager.serviceInit(ResourceManager.java:264)
at org.apache.hadoop.service.AbstractService.init(AbstractService.java:163)
at org.apache.hadoop.yarn.server.resourcemanager.ResourceManager.main(ResourceManager.java:1337)
Caused by: java.io.IOException: Login failure for hadoop from keytab /etc/krb5.keytab: javax.security.auth.login.LoginException: Unable to obtain password from user
at org.apache.hadoop.security.UserGroupInformation.loginUserFromKeytab(UserGroupInformation.java:1062)
at org.apache.hadoop.security.SecurityUtil.login(SecurityUtil.java:286)
at org.apache.hadoop.yarn.server.resourcemanager.ResourceManager.doSecureLogin(ResourceManager.java:1187)
at org.apache.hadoop.yarn.server.resourcemanager.ResourceManager.serviceInit(ResourceManager.java:262)
... 2 more
Caused by: javax.security.auth.login.LoginException: Unable to obtain password from user
at com.sun.security.auth.module.Krb5LoginModule.promptForPass(Krb5LoginModule.java:897)
at com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:760)
文件 /opt/app/hadoop/etc/hadoop/yarn-site.xml 中添加以下配置:
<property>
<name>yarn.nodemanager.principal</name>
<value>tis/[email protected]</value>
</property>
<property>
<name>yarn.nodemanager.keytab</name>
<value>/opt/app/hive/conf/tis.keytab</value>
</property>
<property>
<name>yarn.resourcemanager.principal</name>
<value>tis/[email protected]</value>
</property>
<property>
<name>yarn.resourcemanager.keytab</name>
<value>/opt/app/hive/conf/tis.keytab</value>
</property>
Hive metadata 服务启动出错:
2023-07-18T13:04:06,750 ERROR [main] metastore.HiveMetaStore: org.apache.thrift.transport.TTransportException: java.io.IOException: Login failure for tis/[email protected] from keytab /opt/app/hive/conf/tis.keytab: javax.security.auth.login.LoginException: Unable to obtain password from user
at org.apache.hadoop.hive.thrift.HadoopThriftAuthBridge$Server.<init>(HadoopThriftAuthBridge.java:327)
at org.apache.hadoop.hive.thrift.HadoopThriftAuthBridge.createServer(HadoopThriftAuthBridge.java:101)
at org.apache.hadoop.hive.metastore.HiveMetaStore.startMetaStore(HiveMetaStore.java:7157)
at org.apache.hadoop.hive.metastore.HiveMetaStore.main(HiveMetaStore.java:7076)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at org.apache.hadoop.util.RunJar.run(RunJar.java:234)
at org.apache.hadoop.util.RunJar.main(RunJar.java:148)
Caused by: java.io.IOException: Login failure for tis/[email protected] from keytab /opt/app/hive/conf/tis.keytab: javax.security.auth.login.LoginException: Unable to obtain password from user
at org.apache.hadoop.security.UserGroupInformation.loginUserFromKeytab(UserGroupInformation.java:1062)
at org.apache.hadoop.hive.thrift.HadoopThriftAuthBridge$Server.<init>(HadoopThriftAuthBridge.java:322)
... 9 more
Caused by: javax.security.auth.login.LoginException: Unable to obtain password from user
at com.sun.security.auth.module.Krb5LoginModule.promptForPass(Krb5LoginModule.java:897)
at com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:760)
at com.sun.security.auth.module.Krb5LoginModule.login(Krb5LoginModule.java:617)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at javax.security.auth.login.LoginContext.invoke(LoginContext.java:755)
at javax.security.auth.login.LoginContext.access$000(LoginContext.java:195)
at javax.security.auth.login.LoginContext$4.run(LoginContext.java:682)
at javax.security.auth.login.LoginContext$4.run(LoginContext.java:680)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:680)
at javax.security.auth.login.LoginContext.login(LoginContext.java:587)
at org.apache.hadoop.security.UserGroupInformation.loginUserFromKeytab(UserGroupInformation.java:1053)
... 10 more
原因是:手动生成的keytab文件其owner是root,应该改成对应组件的系统用户 https://blog.csdn.net/zz_aiytag/article/details/105067703
执行chown之后再 重启,发现以下问题:
javax.security.sasl.SaslException: GSS initiate failed
at com.sun.security.sasl.gsskerb.GssKrb5Client.evaluateChallenge(GssKrb5Client.java:211) ~[?:1.8.0_191]
at org.apache.thrift.transport.TSaslClientTransport.handleSaslStartMessage(TSaslClientTransport.java:94) ~[hive-exec-2.3.7.jar:2.3.7]
at org.apache.thrift.transport.TSaslTransport.open(TSaslTransport.java:271) ~[hive-exec-2.3.7.jar:2.3.7]
at org.apache.thrift.transport.TSaslClientTransport.open(TSaslClientTransport.java:37) ~[hive-exec-2.3.7.jar:2.3.7]
at org.apache.hadoop.hive.thrift.client.TUGIAssumingTransport$1.run(TUGIAssumingTransport.java:52) ~[hive-exec-2.3.7.jar:2.3.7]
at org.apache.hadoop.hive.thrift.client.TUGIAssumingTransport$1.run(TUGIAssumingTransport.java:49) ~[hive-exec-2.3.7.jar:2.3.7]
at java.security.AccessController.doPrivileged(Native Method) ~[?:1.8.0_191]
at javax.security.auth.Subject.doAs(Subject.java:422) ~[?:1.8.0_191]
at org.apache.hadoop.security.UserGroupInformation.doAs(UserGroupInformation.java:1840) ~[hadoop-common-2.8.4.jar:?]
at org.apache.hadoop.hive.thrift.client.TUGIAssumingTransport.open(TUGIAssumingTransport.java:49) ~[hive-exec-2.3.7.jar:2.3.7]
at org.apache.hadoop.hive.metastore.HiveMetaStoreClient.open(HiveMetaStoreClient.java:480) ~[hive-exec-2.3.7.jar:2.3.7]
at org.apache.hadoop.hive.metastore.HiveMetaStoreClient.<init>(HiveMetaStoreClient.java:247) ~[hive-exec-2.3.7.jar:2.3.7]
at org.apache.hadoop.hive.ql.metadata.SessionHiveMetaStoreClient.<init>(SessionHiveMetaStoreClient.java:70) ~[hive-exec-2.3.7.jar:2.3.7]
at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method) ~[?:1.8.0_191]
at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62) ~[?:1.8.0_191]
at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45) ~[?:1.8.0_191]
at java.lang.reflect.Constructor.newInstance(Constructor.java:423) ~[?:1.8.0_191]
at org.apache.hadoop.hive.metastore.MetaStoreUtils.newInstance(MetaStoreUtils.java:1707) ~[hive-exec-2.3.7.jar:2.3.7]
at org.apache.hadoop.hive.metastore.RetryingMetaStoreClient.<init>(RetryingMetaStoreClient.java:83) ~[hive-exec-2.3.7.jar:2.3.7]
at org.apache.hadoop.hive.metastore.RetryingMetaStoreClient.getProxy(RetryingMetaStoreClient.java:133) ~[hive-exec-2.3.7.jar:2.3.7]
at org.apache.hadoop.hive.metastore.RetryingMetaStoreClient.getProxy(RetryingMetaStoreClient.java:104) ~[hive-exec-2.3.7.jar:2.3.7]
at org.apache.hadoop.hive.ql.metadata.Hive.createMetaStoreClient(Hive.java:3600) ~[hive-exec-2.3.7.jar:2.3.7]
at org.apache.hadoop.hive.ql.metadata.Hive.getMSC(Hive.java:3652) ~[hive-exec-2.3.7.jar:2.3.7]
at org.apache.hadoop.hive.ql.metadata.Hive.getMSC(Hive.java:3632) ~[hive-exec-2.3.7.jar:2.3.7]
at org.apache.hadoop.hive.ql.metadata.Hive.getAllFunctions(Hive.java:3894) ~[hive-exec-2.3.7.jar:2.3.7]
at org.apache.hadoop.hive.ql.metadata.Hive.reloadFunctions(Hive.java:248) ~[hive-exec-2.3.7.jar:2.3.7]
at org.apache.hadoop.hive.ql.metadata.Hive.registerAllFunctionsOnce(Hive.java:231) ~[hive-exec-2.3.7.jar:2.3.7]
at org.apache.hadoop.hive.ql.metadata.Hive.<init>(Hive.java:388) ~[hive-exec-2.3.7.jar:2.3.7]
at org.apache.hadoop.hive.ql.metadata.Hive.create(Hive.java:332) ~[hive-exec-2.3.7.jar:2.3.7]
at org.apache.hadoop.hive.ql.metadata.Hive.getInternal(Hive.java:312) ~[hive-exec-2.3.7.jar:2.3.7]
at org.apache.hadoop.hive.ql.metadata.Hive.get(Hive.java:288) ~[hive-exec-2.3.7.jar:2.3.7]
at org.apache.hadoop.hive.ql.session.SessionState.setAuthorizerV2Config(SessionState.java:917) ~[hive-exec-2.3.7.jar:2.3.7]
at org.apache.hadoop.hive.ql.session.SessionState.setupAuth(SessionState.java:881) ~[hive-exec-2.3.7.jar:2.3.7]
at org.apache.hadoop.hive.ql.session.SessionState.applyAuthorizationPolicy(SessionState.java:1687) ~[hive-exec-2.3.7.jar:2.3.7]
at org.apache.hive.service.cli.CLIService.applyAuthorizationConfigPolicy(CLIService.java:130) ~[hive-service-2.3.7.jar:2.3.7]
at org.apache.hive.service.cli.CLIService.init(CLIService.java:114) ~[hive-service-2.3.7.jar:2.3.7]
at org.apache.hive.service.CompositeService.init(CompositeService.java:59) ~[hive-service-2.3.7.jar:2.3.7]
at org.apache.hive.service.server.HiveServer2.init(HiveServer2.java:142) ~[hive-service-2.3.7.jar:2.3.7]
at org.apache.hive.service.server.HiveServer2.startHiveServer2(HiveServer2.java:607) ~[hive-service-2.3.7.jar:2.3.7]
at org.apache.hive.service.server.HiveServer2.access$700(HiveServer2.java:100) ~[hive-service-2.3.7.jar:2.3.7]
at org.apache.hive.service.server.HiveServer2$StartOptionExecutor.execute(HiveServer2.java:855) ~[hive-service-2.3.7.jar:2.3.7]
at org.apache.hive.service.server.HiveServer2.main(HiveServer2.java:724) ~[hive-service-2.3.7.jar:2.3.7]
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) ~[?:1.8.0_191]
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) ~[?:1.8.0_191]
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) ~[?:1.8.0_191]
at java.lang.reflect.Method.invoke(Method.java:498) ~[?:1.8.0_191]
at org.apache.hadoop.util.RunJar.run(RunJar.java:234) ~[hadoop-common-2.8.4.jar:?]
at org.apache.hadoop.util.RunJar.main(RunJar.java:148) ~[hadoop-common-2.8.4.jar:?]
Caused by: org.ietf.jgss.GSSException: No valid credentials provided (Mechanism level: Clock skew too great (37) - PROCESS_TGS)
at sun.security.jgss.krb5.Krb5Context.initSecContext(Krb5Context.java:770) ~[?:1.8.0_191]
at sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:248) ~[?:1.8.0_191]
at sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:179) ~[?:1.8.0_191]
at com.sun.security.sasl.gsskerb.GssKrb5Client.evaluateChallenge(GssKrb5Client.java:192) ~[?:1.8.0_191]
... 47 more
Caused by: sun.security.krb5.KrbException: Clock skew too great (37) - PROCESS_TGS
at sun.security.krb5.KrbTgsRep.<init>(KrbTgsRep.java:73) ~[?:1.8.0_191]
at sun.security.krb5.KrbTgsReq.getReply(KrbTgsReq.java:251) ~[?:1.8.0_191]
at sun.security.krb5.KrbTgsReq.sendAndGetCreds(KrbTgsReq.java:262) ~[?:1.8.0_191]
at sun.security.krb5.internal.CredentialsUtil.serviceCreds(CredentialsUtil.java:308) ~[?:1.8.0_191]
at sun.security.krb5.internal.CredentialsUtil.acquireServiceCreds(CredentialsUtil.java:126) ~[?:1.8.0_191]
at sun.security.krb5.Credentials.acquireServiceCreds(Credentials.java:458) ~[?:1.8.0_191]
at sun.security.jgss.krb5.Krb5Context.initSecContext(Krb5Context.java:693) ~[?:1.8.0_191]
at sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:248) ~[?:1.8.0_191]
at sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:179) ~[?:1.8.0_191]
at com.sun.security.sasl.gsskerb.GssKrb5Client.evaluateChallenge(GssKrb5Client.java:192) ~[?:1.8.0_191]
... 47 more
Caused by: sun.security.krb5.Asn1Exception: Identifier doesn't match expected value (906)
at sun.security.krb5.internal.KDCRep.init(KDCRep.java:140) ~[?:1.8.0_191]
at sun.security.krb5.internal.TGSRep.init(TGSRep.java:65) ~[?:1.8.0_191]
at sun.security.krb5.internal.TGSRep.<init>(TGSRep.java:60) ~[?:1.8.0_191]
at sun.security.krb5.KrbTgsRep.<init>(KrbTgsRep.java:55) ~[?:1.8.0_191]
at sun.security.krb5.KrbTgsReq.getReply(KrbTgsReq.java:251) ~[?:1.8.0_191]
at sun.security.krb5.KrbTgsReq.sendAndGetCreds(KrbTgsReq.java:262) ~[?:1.8.0_191]
at sun.security.krb5.internal.CredentialsUtil.serviceCreds(CredentialsUtil.java:308) ~[?:1.8.0_191]
sun.security.krb5.KrbException: Clock skew too great (37) 具体原因是 两个服务节点时间相差太大导致的是用 date -s"" 设置时间正确就行 https://blog.csdn.net/wysghmbb/article/details/122219022
Java 客户端启动报此异常
在客户端端中已经执行了klist 是已经正常缓存了票据了
Caused by: org.ietf.jgss.GSSException: No valid credentials provided (Mechanism level: Failed to find any Kerberos tgt)
at sun.security.jgss.krb5.Krb5InitCredential.getInstance(Krb5InitCredential.java:147)
at sun.security.jgss.krb5.Krb5MechFactory.getCredentialElement(Krb5MechFactory.java:122)
at sun.security.jgss.krb5.Krb5MechFactory.getMechanismContext(Krb5MechFactory.java:187)
at sun.security.jgss.GSSManagerImpl.getMechanismContext(GSSManagerImpl.java:224)
at sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:212)
at sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:179)
at com.sun.security.sasl.gsskerb.GssKrb5Client.evaluateChallenge(GssKrb5Client.java:192)