Uploaded image for project: 'Ambari'
  1. Ambari
  2. AMBARI-19642

Error during Alert: Unable to authenticate through LDAP for Hiveserver2 (also floods HS2 log with error messages)

    XMLWordPrintableJSON

Details

    • Bug
    • Status: Resolved
    • Critical
    • Resolution: Fixed
    • 2.5.0
    • 2.5.0
    • stacks
    • None

    Description

      Ambari Alert can't authenticate through LDAP for HiveServer2 using the ambari-qa user because there's no where set the ambari-qa password.

      javax.security.sasl.SaslException: Error validating the login [Caused by javax.security.sasl.AuthenticationException: Error validating LDAP user [Caused by javax.naming.Authentic 
ationException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C0903C8, comment: AcceptSecurityContext error, data 52e, v2580 
at org.apache.hive.service.auth.PlainSaslServer.evaluateResponse(PlainSaslServer.java:109) 
at org.apache.thrift.transport.TSaslTransport$SaslParticipant.evaluateChallengeOrResponse(TSaslTransport.java:509) 
at org.apache.thrift.transport.TSaslTransport.open(TSaslTransport.java:264) 
at org.apache.thrift.transport.TSaslServerTransport.open(TSaslServerTransport.java:41) 
at org.apache.thrift.transport.TSaslServerTransport$Factory.getTransport(TSaslServerTransport.java:216) 
at org.apache.thrift.server.TThreadPoolServer$WorkerProcess.run(TThreadPoolServer.java:189) 
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145) 
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615) 
at java.lang.Thread.run(Thread.java:744) 
Caused by: javax.security.sasl.AuthenticationException: Error validating LDAP user [Caused by javax.naming.AuthenticationException: [LDAP: error code 49 - 80090308: LdapErr: DSID 
-0C0903C8, comment: AcceptSecurityContext error, data 52e, v2580 
at org.apache.hive.service.auth.LdapAuthenticationProviderImpl.Authenticate(LdapAuthenticationProviderImpl.java:70) 
at org.apache.hive.service.auth.PlainSaslHelper$PlainServerCallbackHandler.handle(PlainSaslHelper.java:106) 
at org.apache.hive.service.auth.PlainSaslServer.evaluateResponse(PlainSaslServer.java:102) 
... 8 more 
Caused by: javax.naming.AuthenticationException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C0903C8, comment: AcceptSecurityContext error, data 52e, v2580 
at com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:3087) 
at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:3033) 
at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2835) 
at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2749) 
at com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:316) 
at com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:193) 
at com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(LdapCtxFactory.java:211) 
at com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(LdapCtxFactory.java:154) 
at com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactory.java:84) 
at javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:684) 
at javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:307) 
at javax.naming.InitialContext.init(InitialContext.java:242) 
at javax.naming.InitialContext.<init>(InitialContext.java:216) 
at javax.naming.directory.InitialDirContext.<init>(InitialDirContext.java:101) 
at org.apache.hive.service.auth.LdapAuthenticationProviderImpl.Authenticate(LdapAuthenticationProviderImpl.java:67) 
... 10 more 
2014-12-29 00:00:12,532 ERROR server.TThreadPoolServer (TThreadPoolServer.java:run(215)) - Error occurred during processing of message. 
java.lang.RuntimeException: org.apache.thrift.transport.TTransportException: Error validating the login 
at org.apache.thrift.transport.TSaslServerTransport$Factory.getTransport(TSaslServerTransport.java:219) 
at org.apache.thrift.server.TThreadPoolServer$WorkerProcess.run(TThreadPoolServer.java:189) 
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145) 
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615) 
at java.lang.Thread.run(Thread.java:744) 
Caused by: org.apache.thrift.transport.TTransportException: Error validating the login 
at org.apache.thrift.transport.TSaslTransport.sendAndThrowMessage(TSaslTransport.java:221) 
at org.apache.thrift.transport.TSaslTransport.open(TSaslTransport.java:297) 
at org.apache.thrift.transport.TSaslServerTransport.open(TSaslServerTransport.java:41) 
at org.apache.thrift.transport.TSaslServerTransport$Factory.getTransport(TSaslServerTransport.java:216) 
... 4 more

      *LDAP doesn't except blank passwords*

      It is expected that ambari-qa user able to authenticate through LDAP for HiveServer2

      ANALYSIS:

      1) We found when hive.server2.authentication=LDAP, the HiveServer2 log will show the LDAP error once Alert is turned on.

      2) Alert uses check_tcp_wrapper_sasl!10000!LDAP!!

      3) When hive.server2.authentication=NONE, we don't get the Alert LDAP error for HiveServer2.

      or

      1) If we run "beeline" and !connect jdbc:hive2://<hiveserver2_server>:10000 -n ambari-qa", we will get the LDAP error too.

      Attachments

        1. AMBARI-19642.patch
          17 kB
          Sumit Mohanty

        Issue Links

          links to

          Web Link Review Board

          Activity

            People

              sumitmohanty Sumit Mohanty
              sumitmohanty Sumit Mohanty
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: