Beeline: Failed to find any Kerberos tgt

Nur Kholis M.Nur Kholis M.
1 min read

Issue:

beeline failed with following errors:

3/07/13 09:43:51 [main]: ERROR transport.TSaslTransport: SASL negotiation failure
javax.security.sasl.SaslException: GSS initiate failed
        at com.sun.security.sasl.gsskerb.GssKrb5Client.evaluateChallenge(GssKrb5Client.java:211) ~[?:1.8.0_232]
        at org.apache.thrift.transport.TSaslClientTransport.handleSaslStartMessage(TSaslClientTransport.java:96) ~[hive-exec-3.1.3000.7.1.7.2000-305.jar:3.1.3000.7.1.7.2000-305]
        ...
        at org.apache.hadoop.util.RunJar.run(RunJar.java:318) ~[hadoop-common-3.1.1.7.1.7.2000-305.jar:?]
        at org.apache.hadoop.util.RunJar.main(RunJar.java:232) ~[hadoop-common-3.1.1.7.1.7.2000-305.jar:?]
Caused by: org.ietf.jgss.GSSException: No valid credentials provided (Mechanism level: Failed to find any Kerberos tgt)
        at sun.security.jgss.krb5.Krb5InitCredential.getInstance(Krb5InitCredential.java:148) ~[?:1.8.0_232]
        at sun.security.jgss.krb5.Krb5MechFactory.getCredentialElement(Krb5MechFactory.java:122) ~[?:1.8.0_232]
        at sun.security.jgss.krb5.Krb5MechFactory.getMechanismContext(Krb5MechFactory.java:189) ~[?:1.8.0_232]
        at sun.security.jgss.GSSManagerImpl.getMechanismContext(GSSManagerImpl.java:224) ~[?:1.8.0_232]
        at sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:212) ~[?:1.8.0_232]
        at sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:179) ~[?:1.8.0_232]
        at com.sun.security.sasl.gsskerb.GssKrb5Client.evaluateChallenge(GssKrb5Client.java:192) ~[?:1.8.0_232]
        ... 37 more

Resolution:

Add "-Djavax.security.auth.useSubjectCredsOnly=false" before execute beeline:

export HADOOP_OPTS="-Djavax.security.auth.useSubjectCredsOnly=false"

for NiFi in CM add in bootstrap.conf (Safety Valve)

References:

[1] https://community.cloudera.com/t5/Support-Questions/Hive-JDBC-client-error-when-connecting-to-Kerberos-Cloudera/td-p/30829
[2] https://cloudera.ericlin.me/2017/08/enabling-kerberos-debug-for-hive/
[3] https://risdenk.github.io/2018/03/15/hdf-apache-nifi-kerberos-errors-usesubjectcredsonly.html

0
Subscribe to my newsletter

Read articles from Nur Kholis M. directly inside your inbox. Subscribe to the newsletter, and don't miss out.

hivehadoopKerberos#beelineapache nifi

Written by

Nur Kholis M.
Nur Kholis M.