Hive-命令行CDH访问开启kerberos的hive

1.通过hive用户访问

切换用户为hive

[root@slave conf]# su - hive
上一次登录：五 4月 12 13:59:19 CST 2019pts/1 上
[hive@slave ~]$

命令行直接输入hive就可以进入hive

[hive@slave ~]$ hive
log4j:WARN No such property [maxFileSize] in org.apache.log4j.DailyRollingFileAppender.

Logging initialized using configuration in file:/etc/hive/2.6.5.0-292/0/hive-log4j.properties
hive>

2.其他用户访问hive

其他用户为授权访问hive会出现以下问题

java.io.IOException: Failed on local exception: java.io.IOException: javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level: Failed to find any Kerberos tgt)]; Host Details : local host is: "kjss1.example.com/172.26.69.237"; destination host is: "kjss2.example.com":8020; 
    at org.apache.hadoop.net.NetUtils.wrapException(NetUtils.java:782)
    at org.apache.hadoop.ipc.Client.getRpcResponse(Client.java:1556)
    at org.apache.hadoop.ipc.Client.call(Client.java:1496)
    at org.apache.hadoop.ipc.Client.call(Client.java:1396)
    at org.apache.hadoop.ipc.ProtobufRpcEngine$Invoker.invoke(ProtobufRpcEngine.java:233)
    at com.sun.proxy.$Proxy8.getGroupsForUser(Unknown Source)
    at org.apache.hadoop.tools.protocolPB.GetUserMappingsProtocolClientSideTranslatorPB.getGroupsForUser(GetUserMappingsProtocolClientSideTranslatorPB.java:57)
    at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
    at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
    at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
    at java.lang.reflect.Method.invoke(Method.java:497)
    at org.apache.hadoop.io.retry.RetryInvocationHandler.invokeMethod(RetryInvocationHandler.java:278)
    at org.apache.hadoop.io.retry.RetryInvocationHandler.invoke(RetryInvocationHandler.java:194)
    at org.apache.hadoop.io.retry.RetryInvocationHandler.invoke(RetryInvocationHandler.java:176)
    at com.sun.proxy.$Proxy9.getGroupsForUser(Unknown Source)
    at org.apache.hadoop.tools.GetGroupsBase.run(GetGroupsBase.java:71)
    at org.apache.hadoop.util.ToolRunner.run(ToolRunner.java:76)
    at org.apache.hadoop.util.ToolRunner.run(ToolRunner.java:90)
    at org.apache.hadoop.hdfs.tools.GetGroups.main(GetGroups.java:96)
Caused by: java.io.IOException: javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level: Failed to find any Kerberos tgt)]
    at org.apache.hadoop.ipc.Client$Connection$1.run(Client.java:720)
    at java.security.AccessController.doPrivileged(Native Method)
    at javax.security.auth.Subject.doAs(Subject.java:422)
    at org.apache.hadoop.security.UserGroupInformation.doAs(UserGroupInformation.java:1724)
    at org.apache.hadoop.ipc.Client$Connection.handleSaslConnectionFailure(Client.java:683)
    at org.apache.hadoop.ipc.Client$Connection.setupIOstreams(Client.java:770)
    at org.apache.hadoop.ipc.Client$Connection.access$3200(Client.java:397)
    at org.apache.hadoop.ipc.Client.getConnection(Client.java:1618)
    at org.apache.hadoop.ipc.Client.call(Client.java:1449)
    ... 16 more
Caused by: javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level: Failed to find any Kerberos tgt)]
    at com.sun.security.sasl.gsskerb.GssKrb5Client.evaluateChallenge(GssKrb5Client.java:211)
    at org.apache.hadoop.security.SaslRpcClient.saslConnect(SaslRpcClient.java:413)
    at org.apache.hadoop.ipc.Client$Connection.setupSaslConnection(Client.java:595)
    at org.apache.hadoop.ipc.Client$Connection.access$2000(Client.java:397)
    at org.apache.hadoop.ipc.Client$Connection$2.run(Client.java:762)
    at org.apache.hadoop.ipc.Client$Connection$2.run(Client.java:758)
    at java.security.AccessController.doPrivileged(Native Method)
    at javax.security.auth.Subject.doAs(Subject.java:422)
    at org.apache.hadoop.security.UserGroupInformation.doAs(UserGroupInformation.java:1724)
    at org.apache.hadoop.ipc.Client$Connection.setupIOstreams(Client.java:757)
    ... 19 more
Caused by: GSSException: No valid credentials provided (Mechanism level: Failed to find any Kerberos tgt)
    at sun.security.jgss.krb5.Krb5InitCredential.getInstance(Krb5InitCredential.java:147)
    at sun.security.jgss.krb5.Krb5MechFactory.getCredentialElement(Krb5MechFactory.java:122)
    at sun.security.jgss.krb5.Krb5MechFactory.getMechanismContext(Krb5MechFactory.java:187)
    at sun.security.jgss.GSSManagerImpl.getMechanismContext(GSSManagerImpl.java:224)
    at sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:212)
    at sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:179)
    at com.sun.security.sasl.gsskerb.GssKrb5Client.evaluateChallenge(GssKrb5Client.java:192)
    ... 28 more

查看该用户是否有kerberos 凭证

[root@slave conf]# su - nifi
上一次登录：三 4月  3 17:32:05 CST 2019pts/0 上
[nifi@slave ~]$ klist
klist: No credentials cache found (filename: /tmp/krb5cc_996)
[nifi@slave ~]$

如果没有看到有效的凭证，执行如下命令。/etc/security/keytabs/hive.service.keytab为hive kerberos文件

[nifi@slave ~]$ klist -kte /etc/security/keytabs/hive.service.keytab
Keytab name: FILE:/etc/security/keytabs/hive.service.keytab
KVNO Timestamp           Principal
---- ------------------- ------------------------------------------------------
   1 2019-04-11T17:02:35 hive/slave.hdp193.com@EXAMPLE.COM (des3-cbc-sha1)
   1 2019-04-11T17:02:35 hive/slave.hdp193.com@EXAMPLE.COM (arcfour-hmac)
   1 2019-04-11T17:02:35 hive/slave.hdp193.com@EXAMPLE.COM (des-cbc-md5)
   1 2019-04-11T17:02:35 hive/slave.hdp193.com@EXAMPLE.COM (aes128-cts-hmac-sha1-96)
   1 2019-04-11T17:02:35 hive/slave.hdp193.com@EXAMPLE.COM (aes256-cts-hmac-sha1-96)
[nifi@slave ~]$

执行后就可以在该用户下执行kinit。

# 验证用户是否可以从keytab文件登录：
[nifi@slave ~]$ kinit -kt /etc/security/keytabs/hive.service.keytab hive/slave.hdp193.com@EXAMPLE.COM
# 查看有效的凭证
[nifi@slave ~]$ klist
Ticket cache: FILE:/tmp/krb5cc_996
Default principal: hive/slave.hdp193.com@EXAMPLE.COM

Valid starting       Expires              Service principal
2019-04-12T14:36:32  2019-04-13T14:36:32  krbtgt/EXAMPLE.COM@EXAMPLE.COM
[nifi@slave ~]$

在该用户下执行hive即可进入hive命令界面