Unable to obtain password from user的一种可能

最新推荐文章于 2024-06-20 23:28:06 发布
最新推荐文章于 2024-06-20 23:28:06 发布
阅读量2.1w 收藏 1
点赞数 2
分类专栏: Ambari
版权声明:本文为博主原创文章,遵循 CC 4.0 BY-SA 版权协议,转载请附上原文出处链接和本声明。
本文链接:https://blog.csdn.net/zz_aiytag/article/details/105067703
版权
本文记录了在Ambari平台中,当Kerberos认证开启时,Hive Metastore服务启动失败的问题及其解决过程。通过手动创建票据、生成keytab文件并调整文件权限,成功解决了因认证时无法获取密码导致的服务启动异常。

摘要生成于 C知道 ,由 DeepSeek-R1 满血版支持, 前往体验 >

文章目录

异常

2020-03-24T11:20:32,863 ERROR [main]: metastore.HiveMetaStore (HiveMetaStore.java:main(9316)) - Metastore Thrift Server threw an exception...
org.apache.hadoop.security.KerberosAuthException: failure to login: for principal: hive/worker.cluster@BIGDATA from keytab /etc/security/keytabs/hive.service.keytab javax.security.auth.login.LoginException: Unable to obtain password from user

	at org.apache.hadoop.security.UserGroupInformation.doSubjectLogin(UserGroupInformation.java:1847) ~[hadoop-common-3.1.1.3.0.1.0-187.jar:?]
	at org.apache.hadoop.security.UserGroupInformation.loginUserFromKeytabAndReturnUGI(UserGroupInformation.java:1215) ~[hadoop-common-3.1.1.3.0.1.0-187.jar:?]
	at org.apache.hadoop.security.UserGroupInformation.loginUserFromKeytab(UserGroupInformation.java:1008) ~[hadoop-common-3.1.1.3.0.1.0-187.jar:?]
	at org.apache.hadoop.hive.metastore.HiveMetaStore.startMetaStore(HiveMetaStore.java:9378) ~[hive-exec-3.1.0.3.0.1.0-187.jar:3.1.0.3.0.1.0-187]
	at org.apache.hadoop.hive.metastore.HiveMetaStore.main(HiveMetaStore.java:9311) [hive-exec-3.1.0.3.0.1.0-187.jar:3.1.0.3.0.1.0-187]
	at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) ~[?:1.8.0_121]
	at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) ~[?:1.8.0_121]
	at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) ~[?:1.8.0_121]
	at java.lang.reflect.Method.invoke(Method.java:498) ~[?:1.8.0_121]
	at org.apache.hadoop.util.RunJar.run(RunJar.java:318) [hadoop-common-3.1.1.3.0.1.0-187.jar:?]
	at org.apache.hadoop.util.RunJar.main(RunJar.java:232) [hadoop-common-3.1.1.3.0.1.0-187.jar:?]
Caused by: javax.security.auth.login.LoginException: Unable to obtain password from user

	at com.sun.security.auth.module.Krb5LoginModule.promptForPass(Krb5LoginModule.java:897) ~[?:1.8.0_121]
	at com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:760) ~[?:1.8.0_121]
	at com.sun.security.auth.module.Krb5LoginModule.login(Krb5LoginModule.java:617) ~[?:1.8.0_121]
	at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) ~[?:1.8.0_121]
	at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) ~[?:1.8.0_121]
	at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) ~[?:1.8.0_121]
	at java.lang.reflect.Method.invoke(Method.java:498) ~[?:1.8.0_121]
	at javax.security.auth.login.LoginContext.invoke(LoginContext.java:755) ~[?:1.8.0_121]
	at javax.security.auth.login.LoginContext.access$000(LoginContext.java:195) ~[?:1.8.0_121]
	at javax.security.auth.login.LoginContext$4.run(LoginContext.java:682) ~[?:1.8.0_121]
	at javax.security.auth.login.LoginContext$4.run(LoginContext.java:680) ~[?:1.8.0_121]
	at java.security.AccessController.doPrivileged(Native Method) ~[?:1.8.0_121]
	at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:680) ~[?:1.8.0_121]
	at javax.security.auth.login.LoginContext.login(LoginContext.java:587) ~[?:1.8.0_121]
	at org.apache.hadoop.security.UserGroupInformation$HadoopLoginContext.login(UserGroupInformation.java:1926) ~[hadoop-common-3.1.1.3.0.1.0-187.jar:?]
	at org.apache.hadoop.security.UserGroupInformation.doSubjectLogin(UserGroupInformation.java:1837) ~[hadoop-common-3.1.1.3.0.1.0-187.jar:?]
	... 10 more
2020-03-24T11:20:32,870 INFO  [shutdown-hook-0]: metastore.HiveMetaStore (HiveMetaStore.java:lambda$main$0(9281)) - Shutting down hive metastore.
2020-03-24T11:20:32,893 INFO  [shutdown-hook-0]: impl.MetricsSystemImpl (MetricsSystemImpl.java:stop(210)) - Stopping hivemetastore metrics system...
2020-03-24T11:20:32,895 INFO  [timeline]: impl.MetricsSinkAdapter (MetricsSinkAdapter.java:publishMetricsFromQueue(141)) - timeline thread interrupted.
2020-03-24T11:20:32,897 INFO  [shutdown-hook-0]: impl.MetricsSystemImpl (MetricsSystemImpl.java:stop(216)) - hivemetastore metrics system stopped.
2020-03-24T11:20:32,897 INFO  [shutdown-hook-0]: impl.MetricsSystemImpl (MetricsSystemImpl.java:shutdown(607)) - hivemetastore metrics system shutdown complete.
2020-03-24T11:20:32,914 INFO  [shutdown-hook-0]: metastore.HiveMetaStore (HiveMetaStore.java:lambda$startupShutdownMessage$1(9719)) - SHUTDOWN_MSG:

异常前的操作

  • 环境:

Ambari平台开启了kerberos开安认证,hive组件的metastore服务启动报错

  • 做的操作

1、kadmin节点上手动生成了票据,并且手动导出了keytab文件

# 手动添加票据
kadmin.local:  addprinc -randkey hive/worker.cluster@BIGDATA
WARNING: no policy specified for hive/worker.cluster@BIGDATA; defaulting to no policy
Principal "hive/worker.cluster@BIGDATA" created.
# 手动生成keytab文件
kadmin.local:  xst -k /opt/hive.service.keytab hive/worker.cluster@BIGDATA
Entry for principal hive/worker.cluster@BIGDATA with kvno 2, encryption type aes256-cts-hmac-sha1-96 added to keytab WRFILE:/opt/hive.service.keytab.
Entry for principal hive/worker.cluster@BIGDATA with kvno 2, encryption type aes128-cts-hmac-sha1-96 added to keytab WRFILE:/opt/hive.service.keytab.
Entry for principal hive/worker.cluster@BIGDATA with kvno 2, encryption type des3-cbc-sha1 added to keytab WRFILE:/opt/hive.service.keytab.
Entry for principal hive/worker.cluster@BIGDATA with kvno 2, encryption type arcfour-hmac added to keytab WRFILE:/opt/hive.service.keytab.
Entry for principal hive/worker.cluster@BIGDATA with kvno 2, encryption type camellia256-cts-cmac added to keytab WRFILE:/opt/hive.service.keytab.
Entry for principal hive/worker.cluster@BIGDATA with kvno 2, encryption type camellia128-cts-cmac added to keytab WRFILE:/opt/hive.service.keytab.
Entry for principal hive/worker.cluster@BIGDATA with kvno 2, encryption type des-hmac-sha1 added to keytab WRFILE:/opt/hive.service.keytab.
Entry for principal hive/worker.cluster@BIGDATA with kvno 2, encryption type des-cbc-md5 added to keytab WRFILE:/opt/hive.service.keytab.

2、将生成的keytab文件scp到metastore服务所在节点的keytab路径下

[root@manager opt]# scp hive.service.keytab worker.cluster:/etc/security/keytabs/

服务所在节点的keytab文件列表

-r--r----- 1 hbase      hadoop 328 Mar 24 10:42 hbase.headless.keytab
-r-------- 1 hbase      hadoop 353 Mar 24 10:42 hbase.service.keytab
-r-------- 1 hdfs       hadoop 323 Mar 24 10:42 hdfs.headless.keytab
-r--r----- 1 yarn       hadoop 348 Mar 24 10:42 hive.llap.task.keytab
-rw------- 1 root       hadoop 586 Mar 24 11:19 hive.service.keytab
-r-------- 1 kafka      hadoop 353 Mar 24 10:42 kafka.service.keytab

3、重启metastore服务,出现错误

原因及解决办法

错误提示是认证时不能获取密码。
原因是手动生成的keytab文件其owner是root,应该改成对应组件的系统用户

[root@worker keytabs]# chown hive:hadoop hive.service.keytab
......
-rw------- 1 hive       hadoop 586 Mar 24 11:19 hive.service.keytab

再次重启服务,就正常了。

Java应用/JDBC/Squirrel在Kerberos认证时报Unable to obtain Principal Name for authentication的解决方法
Laurence的技术博客
07-12 1万+
Java应用/JDBC/Squirrel在Kerberos认证时报Unable to obtain Principal Name for authentication的解决方法 关于如何在Windows本地安装配置Kerberos客户端,以及进行相关的配置,网上有很多现成的文档可以参考,其中: https://841809077.github.io/2018/12/19/Windows本地安装配置...
DataEase启动失败_doris-fe unhealthy_Unable to obtain connection from database: Access ---DataEase工作笔记001
添柴程序猿的专栏
09-17 1442
受限于服务器性能的原因,doris-be 启动比较慢,doris-fe 依赖 doris-be ,在检测时间内未成功启动完成,doris-fe 便不会再启动。DataEase 启动过程中,提示 doris-fe unhealthy。最近做项目部署,部署环境的安全要求很高所以往往在本地测试环境能启动的,在正式环境就无法启动了.此为磁盘空间不足导致,清理磁盘空间后再重启 Doris-fe 即可,具体可参考知识库。6 Doris-fe 启动失败,日志提示 UNKNOWN¶。
Kerberos : Unable to obtain password from user
HFUT_SIAS的博客
04-27 8321
如果报这个错,能确定是keytab的问题,根据网上查找的资料我总结如下,方便大家定位问题。 权限问题(相应的用户没有读权限) #可以临时把读权限都放开,再重试一下,验证是否权限问题 chmod a+r /xxx/yyy/zzz.keytab ## 如果是这个问题,用chown和chmod命令,将文件权限设置好就行了 keytab自身有问题,也即可能是keytab里的信息失效了 #可以通过kinit验证是否该问题 kinit -kt /xxx/yyy/zzz.keytab aa/bb@cc ## 如
sqoop接入kerberos安全认证后,本地运行正常,但提交到yarn上连接hive报错: Unable to obtain password from user
热门推荐
周源的专栏
09-17 1万+
日志信息: 2018-09-17 11:31:30,774 INFO [OutputFormatLoader-consumer] com.chinacreator.sqoop.connector.hive.HiveExecutor: 连接hive失败java.io.IOException: Login failure for sqoop/139.bd@EXAMPLE.COM from keyta...
kerberos 认证 Unable to obtain password from user 异常排查
keep_learn的专栏
01-10 2430
生产环境突然遇到kerberos 认证异常,java应用连接hive之前的认证异常报Unable to obtain password from user很常见的报错异常。
javax.security.auth.login.LoginException: No CallbackHandler available to garner authentication info
最新发布
刘大猫
06-20 1011
:公司项目当前采用http协议+shiro+mysql的登录认证方式,而现在想支持ldap协议认证登录然后能够访问自己公司的项目网站。:假设我们公司有自己的门户网站,现在我们收购了一家公司,他们数据库采用ldap存储用户数据,那么为了他们账户能登陆我们公司项目所以需要集成,而不是再把他们的账户重新在mysql再创建一遍,万一人家有1W个账户呢,不累死了且也不现实啊。需要安装openldap+kerberos,且ldap和kerberos安装在同一台服务器上,当前版本如下:另外介绍下我的Spring各个版本:
Kerberos异常之unnable to obtain password from user
u012667450的博客
11-18 1万+
unnable obtain password from user 问题描述 在大数据集群开启kerberos认证后,使用kerberos票据进行kinit认证通过。但是集群运行yarn任务时报错: javax.security.auth.login.LoginException: Unable to obtain password from user 产生原因 在kerberos认证的集群下,该问题会经常遇到。其实很简单,是因为使用生成kerberos票据时的linux用户与集群组件匹配不当造成的。比
Caused by: javax.security.auth.login.LoginException: Unable to obtain password from user
m0_37759590的博客
06-21 1499
Caused by: javax.security.auth.login.LoginException: Unable to obtain password from user
解决集群报failure to login: for principal 。。。。Unable to obtain password from user错误
xgysimida的博客
05-11 8442
一、问题复现 在做集群项目运行时,报了如下错误: org.apache.hadoop.security.KerberosAuthException: failure to login: for principal: dal_pro/nm-bigdata.local from keytab /etc/security/keytabs/dal_pro.keytab javax.security.auth.login.LoginException: Unable to obtain password fro
javax.security.auth.login.loginexception: unable to obtain password from use
05-09
javax.security.auth.login.loginexception: unable to obtain password from user 是 Java 身份验证系统中的一种异常情况。该异常通常出现在程序试图使用某个用户账户进行验证时,但是无法从用户获取到该账户的密码...
Hdfs的一系列坑坑洼洼,认证,认证,还是***认证
qq_42667939的博客
12-28 1518
这是一篇经验(教训)总结,以此纪念这段时间来由于hdfs的认证踩的大大小小的坑 首先,来个开胃菜 文件名错误 这个问题,属于是吃一堑就是不长智了。 虽然这是一个小小的粗心bug,但绝不能因此忽略其严重性 我的第一个Unable to obtain password from user则是来源于此 Bug: 当在Linux服务器中运行测试程序时报错:Unable to obtain password from user 原因分析: 初步判断是配置文件问题,经过排查配置文件未发现问题 阅读CEA项目组相关代码
KerberosAuthException:Unable to obtain password from user
software_kid的专栏
12-28 1350
【Exceptions】KerberosAuthException:Unable to obtain password from user
dolphinschedule的报错:javax.security.auth.login.LoginException: Unable to obtain password from user
qq_43688472的博客
08-15 721
ERROR] 2023-08-15 18:16:57.793 +0800 org.apache.dolphinscheduler.api.exceptions.ApiExceptionHandler:[53] - 获取数据源表列表错误。
Failed to obtain JDBC Connection; nested exception is java.sql.SQLException: Access denied for user
qq_40115367的博客
11-02 2749
Failed to obtain JDBC Connection; nested exception is java.sql.SQLException: Access denied for user ‘’@‘localhost’ (using password: NO 在idea 里面配置的文件application.properties中误把配置数据库连接的账号和密码配置spring.datas...
java hbase连接kerberos的几个常见错误
xyhshen的博客
07-12 3251
1.No valid credentials provided (Mechanism level: Attempt to obtain new INITIATE credentials failed! (null)) javax.security.auth.login.LoginException: Clock skew too great 很常见,时间同步问题,让调用方和hbase、kerberos服务器的时间一致就行,一般误差在1~2分钟还是能接受 2.Unable to obtainpassw..
hdfs权限认证org.apache.hadoop.security.AccessControlException: Permission denied: user=root
花语无痕的博客
07-16 1252
原因:没有给根目录授权 会默认以root身份去将作业写入hdfs文件系统中,对应的也就是 HDFS 上的/user/x...
org.apache.hadoop.security.AccessControlException 解决办法
蚂蚁窝
07-02 1万+
异常1: 上传文件到hdfs,找不到文件 异常2: spark-shell启动报错 org.apache.hadoop.security.AccessControlException: Permission denied: user=root, access=WRITE, inode="/user":hdfs:supergroup:drwxr-xr-x 异常3: 远程提交任务给Hadoop 可...
Could not open client transport with JDBC Uri xxx、Caused by: org.apache.hive.org.apache.thrif
qq_39244882的博客
05-24 3838
Could not open client transport with JDBC Uri xxx、Caused by: org.apache.hive.org.apache.thrif
【kerberos】hadoop集群使用keytab认证的逻辑_centos 8 hadoop-2
2401_84166878的博客
04-13 575
以上环境变量常用的有:krb5.conf或krb5.ini文件路径KRB5CCNAME:kerberos cache文件路径(注:此文件可由MIT kerberos客户端生成)
评论 5
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值