search

jcmturner / gokrb5

Pure Go Kerberos library for clients and services
Apache License 2.0
714 stars 242 forks source link

some problems related to hiveserver2 with kerberos #469

Open nice-journey opened 2 years ago

nice-journey commented 2 years ago

Hi hello.

Although I have used a lot of time to read the source code of this repo, blog about kerberos and research the method to access hiveserver2 with kerberos, I also stuck to one problem for server days.

Due to the fact that hiveserver2 does not use spnego protocol, so I need to write adapted codes, such as the following gist: https://gist.github.com/nice-journey/40148566b92e894a16cb28aa682a2740

In the gist code, the first step, access to AS server, and the second step, access to TGS server is ok and no error return. the third step, line 71 of code, has encountered the following error log of hiveserver2, although the send method does not return error.

The hiveserver2 log is 2022-06-04 01:07:16,919 DEBUG org.apache.thrift.transport.TSaslServerTransport: [HiveServer2-Handler-Pool: Thread-43]: transport map does not contain key 2022-06-04 01:07:16,919 DEBUG org.apache.thrift.transport.TSaslTransport: [HiveServer2-Handler-Pool: Thread-43]: opening transport org.apache.thrift.transport.TSaslServerTransport@5839534b 2022-06-04 01:07:16,923 DEBUG org.apache.thrift.transport.TSaslTransport: [HiveServer2-Handler-Pool: Thread-43]: SERVER: Writing message with status ERROR and payload length 17 2022-06-04 01:07:16,923 DEBUG org.apache.thrift.transport.TSaslServerTransport: [HiveServer2-Handler-Pool: Thread-43]: failed to open server transport org.apache.thrift.transport.TTransportException: Invalid status 96 at org.apache.thrift.transport.TSaslTransport.sendAndThrowMessage(TSaslTransport.java:232) at org.apache.thrift.transport.TSaslTransport.receiveSaslMessage(TSaslTransport.java:184) at org.apache.thrift.transport.TSaslServerTransport.handleSaslStartMessage(TSaslServerTransport.java:125) at org.apache.thrift.transport.TSaslTransport.open(TSaslTransport.java:271) at org.apache.thrift.transport.TSaslServerTransport.open(TSaslServerTransport.java:41) at org.apache.thrift.transport.TSaslServerTransport$Factory.getTransport(TSaslServerTransport.java:216) at org.apache.hadoop.hive.thrift.HadoopThriftAuthBridge$Server$TUGIAssumingTransportFactory$1.run(HadoopThriftAuthBridge.java:794) at org.apache.hadoop.hive.thrift.HadoopThriftAuthBridge$Server$TUGIAssumingTransportFactory$1.run(HadoopThriftAuthBridge.java:791) at java.security.AccessController.doPrivileged(Native Method) at javax.security.auth.Subject.doAs(Subject.java:356) at org.apache.hadoop.security.UserGroupInformation.doAs(UserGroupInformation.java:1904) at org.apache.hadoop.hive.thrift.HadoopThriftAuthBridge$Server$TUGIAssumingTransportFactory.getTransport(HadoopThriftAuthBridge.java:791) at org.apache.thrift.server.TThreadPoolServer$WorkerProcess.run(TThreadPoolServer.java:269) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615) at java.lang.Thread.run(Thread.java:745) 2022-06-04 01:07:16,924 ERROR org.apache.thrift.server.TThreadPoolServer: [HiveServer2-Handler-Pool: Thread-43]: Error occurred during processing of message. java.lang.RuntimeException: org.apache.thrift.transport.TTransportException: Invalid status 96 at org.apache.thrift.transport.TSaslServerTransport$Factory.getTransport(TSaslServerTransport.java:219) at org.apache.hadoop.hive.thrift.HadoopThriftAuthBridge$Server$TUGIAssumingTransportFactory$1.run(HadoopThriftAuthBridge.java:794) at org.apache.hadoop.hive.thrift.HadoopThriftAuthBridge$Server$TUGIAssumingTransportFactory$1.run(HadoopThriftAuthBridge.java:791) at java.security.AccessController.doPrivileged(Native Method) at javax.security.auth.Subject.doAs(Subject.java:356) at org.apache.hadoop.security.UserGroupInformation.doAs(UserGroupInformation.java:1904) at org.apache.hadoop.hive.thrift.HadoopThriftAuthBridge$Server$TUGIAssumingTransportFactory.getTransport(HadoopThriftAuthBridge.java:791) at org.apache.thrift.server.TThreadPoolServer$WorkerProcess.run(TThreadPoolServer.java:269) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615) at java.lang.Thread.run(Thread.java:745) Caused by: org.apache.thrift.transport.TTransportException: Invalid status 96 at org.apache.thrift.transport.TSaslTransport.sendAndThrowMessage(TSaslTransport.java:232) at org.apache.thrift.transport.TSaslTransport.receiveSaslMessage(TSaslTransport.java:184) at org.apache.thrift.transport.TSaslServerTransport.handleSaslStartMessage(TSaslServerTransport.java:125) at org.apache.thrift.transport.TSaslTransport.open(TSaslTransport.java:271) at org.apache.thrift.transport.TSaslServerTransport.open(TSaslServerTransport.java:41) at org.apache.thrift.transport.TSaslServerTransport$Factory.getTransport(TSaslServerTransport.java:216) ... 10 more

I maybe not fully understood the kerberos, could you give me some advices?

jcmturner commented 1 year ago

This line doesn't look right to me: https://gist.github.com/nice-journey/40148566b92e894a16cb28aa682a2740#file-gistfile1-txt-L34 The first argument should be the client's username.

If SPNEGO is not used I'm not sure why the spnego package is being used at this line: https://gist.github.com/nice-journey/40148566b92e894a16cb28aa682a2740#file-gistfile1-txt-L48

Perhaps you just need to create a generic AP request as documented at https://github.com/jcmturner/gokrb5/blob/master/v8/USAGE.md#generic-kerberos-client

What form of token does hiveserver2 expect and how do you transport it to the server?