版权声明:本文为博主原创文章,未经博主允许不得转载。 https://blog.csdn.net/weixin_35852328/article/details/83388060
问题描述:
今天在服务器本地使用beeline连接hive的时候,由于集群集成了kerberos服务,需要先获取服务的授权,于是手动在KDC服务器上生成了访问hive metastor server的keytab文件。
使用命令
ktadd -k /etc/hive.keytab hive/[email protected] |
执行该命令后,导致hive/[email protected]这个票据的密码被修改,于是hive metastor server服务报错!
日志如下:
点30:32.506分 | ERROR | HiveMetaStore | [main]: Metastore Thrift Server threw an exception... org.apache.thrift.transport.TTransportException: org.apache.hadoop.security.KerberosAuthException: Login failure for user: hive/[email protected] from keytab hive.keytab javax.security.auth.login.LoginException: Checksum failed at org.apache.hadoop.hive.thrift.HadoopThriftAuthBridge$Server.<init>(HadoopThriftAuthBridge.java:364) at org.apache.hadoop.hive.thrift.HadoopThriftAuthBridge.createServer(HadoopThriftAuthBridge.java:102) at org.apache.hadoop.hive.metastore.HiveMetaStore.startMetaStore(HiveMetaStore.java:6740) at org.apache.hadoop.hive.metastore.HiveMetaStore.main(HiveMetaStore.java:6659) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:498) at org.apache.hadoop.util.RunJar.run(RunJar.java:221) at org.apache.hadoop.util.RunJar.main(RunJar.java:136) Caused by: org.apache.hadoop.security.KerberosAuthException: Login failure for user: hive/[email protected] from keytab hive.keytab javax.security.auth.login.LoginException: Checksum failed at org.apache.hadoop.security.UserGroupInformation.loginUserFromKeytab(UserGroupInformation.java:1130) at org.apache.hadoop.hive.thrift.HadoopThriftAuthBridge$Server.<init>(HadoopThriftAuthBridge.java:359) ... 9 more Caused by: javax.security.auth.login.LoginException: Checksum failed at com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:804) at com.sun.security.auth.module.Krb5LoginModule.login(Krb5LoginModule.java:617) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:498) at javax.security.auth.login.LoginContext.invoke(LoginContext.java:755) at javax.security.auth.login.LoginContext.access$000(LoginContext.java:195) at javax.security.auth.login.LoginContext$4.run(LoginContext.java:682) at javax.security.auth.login.LoginContext$4.run(LoginContext.java:680) at java.security.AccessController.doPrivileged(Native Method) at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:680) at javax.security.auth.login.LoginContext.login(LoginContext.java:587) at org.apache.hadoop.security.UserGroupInformation.loginUserFromKeytab(UserGroupInformation.java:1121) ... 10 more Caused by: KrbException: Checksum failed at sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType.decrypt(Aes256CtsHmacSha1EType.java:102) at sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType.decrypt(Aes256CtsHmacSha1EType.java:94) at sun.security.krb5.EncryptedData.decrypt(EncryptedData.java:175) at sun.security.krb5.KrbAsRep.decrypt(KrbAsRep.java:149) at sun.security.krb5.KrbAsRep.decryptUsingKeyTab(KrbAsRep.java:121) at sun.security.krb5.KrbAsReqBuilder.resolve(KrbAsReqBuilder.java:285) at sun.security.krb5.KrbAsReqBuilder.action(KrbAsReqBuilder.java:361) at com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:776) ... 23 more Caused by: java.security.GeneralSecurityException: Checksum failed at sun.security.krb5.internal.crypto.dk.AesDkCrypto.decryptCTS(AesDkCrypto.java:451) at sun.security.krb5.internal.crypto.dk.AesDkCrypto.decrypt(AesDkCrypto.java:272) at sun.security.krb5.internal.crypto.Aes256.decrypt(Aes256.java:76) at sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType.decrypt(Aes256CtsHmacSha1EType.java:100) ... 30 more |
修复:
停止hiveserver2和hive metastor server服务。点击重新生成keytab文件
然后重新启动服务后服务正常。
原因:
手残自己生成了keytab文件,导致hive/[email protected]这个票据的密码被修改,而服务进程使用的keytab文件还是旧的,所以会认证错误!
正确使用方式:
到主机上的对应服务进程目录下将keytab文件拷贝,然后使用服务时统一使用该keytab文件进行kinit。
主机目录:/var/run/cloudera-scm-agent/process/
例如HIVEMETASTORE
[root@beta1 990-hive-HIVEMETASTORE]# kinit -kt hive.keytab hive/beta1.hadoop.feidai.com
[root@beta1 990-hive-HIVEMETASTORE]# cd /var/run/cloudera-scm-agent/process/990-hive-HIVEMETASTORE
[root@beta1 990-hive-HIVEMETASTORE]# ll
total 136
-rw-r----- 1 hive hive 333 Oct 25 19:43 cloudera-monitor.properties
-rw-r----- 1 hive hive 339 Oct 25 19:43 cloudera-stack-monitor.properties
-rw------- 1 root root 17774 Oct 25 19:43 config.zip
-rw-r----- 1 hive hive 4077 Oct 25 19:43 core-site.xml
-rw-r----- 1 hive hive 522 Oct 25 19:43 creds.localjceks
-rw------- 1 hive hive 466 Oct 25 19:43 hive.keytab
-rw-r----- 1 hive hive 869 Oct 25 19:43 hive-log4j.properties
-rw-r----- 1 hive hive 6616 Oct 25 19:43 hive-site.xml
drwxr-x--x 2 hive hive 80 Oct 25 19:43 logs
-rw------- 1 root root 3116 Oct 25 19:43 proc.json
-rw-r----- 1 hive hive 0 Oct 25 19:43 redaction-rules.json
-rw-r----- 1 hive hive 1209 Oct 25 19:43 sentry-site.xml
-rw-r----- 1 hive hive 73186 Oct 25 19:43 service-metrics.properties
-rw------- 1 root root 3403 Oct 25 19:43 supervisor.conf
drwxr-x--x 2 hive hive 220 Oct 25 19:43 yarn-conf
[root@beta1 990-hive-HIVEMETASTORE]# kinit -kt hive.keytab hive/beta1.hadoop.feidai.com
[root@beta1 990-hive-HIVEMETASTORE]# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: hive/[email protected]
Valid starting Expires Service principal
10/25/18 23:15:31 10/26/18 23:15:31 krbtgt/[email protected]
renew until 10/30/18 23:15:31
[root@beta1 990-hive-HIVEMETASTORE]#
之后使用beeline连接hive测试一下
[root@beta1 990-hive-HIVEMETASTORE]# beeline
Java HotSpot(TM) 64-Bit Server VM warning: ignoring option MaxPermSize=512M; support was removed in 8.0
Java HotSpot(TM) 64-Bit Server VM warning: Using incremental CMS is deprecated and will likely be removed in a future release
Java HotSpot(TM) 64-Bit Server VM warning: ignoring option MaxPermSize=512M; support was removed in 8.0
Beeline version 1.1.0-cdh5.15.0 by Apache Hive
beeline> !connect jdbc:hive2://beta1:10000/;principal=hive/[email protected]
scan complete in 2ms
Connecting to jdbc:hive2://beta1:10000/;principal=hive/[email protected]
Connected to: Apache Hive (version 1.1.0-cdh5.15.0)
Driver: Hive JDBC (version 1.1.0-cdh5.15.0)
Transaction isolation: TRANSACTION_REPEATABLE_READ
0: jdbc:hive2://beta1:10000/> show databases;
INFO : Compiling command(queryId=hive_20181025231717_e0f515b0-13c8-4a8c-9026-c6df74e71cbe): show databases
INFO : Semantic Analysis Completed
INFO : Returning Hive schema: Schema(fieldSchemas:[FieldSchema(name:database_name, type:string, comment:from deserializer)], properties:null)
INFO : Completed compiling command(queryId=hive_20181025231717_e0f515b0-13c8-4a8c-9026-c6df74e71cbe); Time taken: 0.057 seconds
INFO : Executing command(queryId=hive_20181025231717_e0f515b0-13c8-4a8c-9026-c6df74e71cbe): show databases
INFO : Starting task [Stage-0:DDL] in serial mode
INFO : Completed executing command(queryId=hive_20181025231717_e0f515b0-13c8-4a8c-9026-c6df74e71cbe); Time taken: 0.177 seconds
INFO : OK
+--------------------------+--+
| database_name |
+--------------------------+--+
| aggregation_db_1_kudu |
| data_market |
| default |
| fi_loanrepayreport_kudu |
| fi_repayplan_kudu |
| financesys_kudu |
| importmongo |
| test |
+--------------------------+--+
8 rows selected (0.307 seconds)
0: jdbc:hive2://beta1:10000/>
测试成功!
所以下次千万记住不要手残自己去生成服务的keytab文件了,因为默认生成的时候密码是随机的,会将之前生成的keytab文件废掉!!