[Bug]: Kerberos authentication failure #3347
Comments
|
It seems that AMS threw the error when querying from the web front, could you please share the whole log, thanks. |
|
I also encountered the same problem, and the error log is as follows: |
|
[org.apache.hadoop.ipc.Client] [] - Exception encountered while connecting to the server xxxxxxxx03/ip:端口 |
|
The front-end logs are as follows: 2024/12/06 19:16:00 prepare execute statement, line:1 |
|
Has the Kerberos ticket expired (after more than 7 days)? If you execute kinit -kt xx xx and then perform the same operation again, will you still encounter the same issue |
|
这是来自QQ邮箱的假期自动回复邮件。
您好,我最近正在休假中,无法亲自回复您的邮件。我将在假期结束后,尽快给您回复。
|
What happened?
When using the External Catalog type, Mixed-Iceberg, Mixed-Hive, Iceberg table formats, and Kerberos authentication method, after creating a hive_catalog with Hive service tickets and keytab files, if you create an Iceberg table in that Catalog and a specific database and insert data, subsequent queries will prompt a client authentication failure. It will look like this:
Caused by: java.io.IOException: org.apache.hadoop.security.AccessControlException: Client cannot authenticate via:[TOKEN, KERBEROS]
at org.apache.hadoop.ipc.Client$Connection$1.run(Client.java:754)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.Subject.doAs(Subject.java:422)
at org.apache.hadoop.security.UserGroupInformation.doAs(UserGroupInformation.java:1953)
at org.apache.hadoop.ipc.Client$Connection.handleSaslConnectionFailure(Client.java:709)
at org.apache.hadoop.ipc.Client$Connection.setupIOstreams(Client.java:812)
at org.apache.hadoop.ipc.Client$Connection.access$3800(Client.java:364)
at org.apache.hadoop.ipc.Client.getConnection(Client.java:1649)
at org.apache.hadoop.ipc.Client.call(Client.java:1473)
... 44 more
Caused by: org.apache.hadoop.security.AccessControlException: Client cannot authenticate via:[TOKEN, KERBEROS]
at org.apache.hadoop.security.SaslRpcClient.selectSaslClient(SaslRpcClient.java:179)
at org.apache.hadoop.security.SaslRpcClient.saslConnect(SaslRpcClient.java:399)
at org.apache.hadoop.ipc.Client$Connection.setupSaslConnection(Client.java:578)
at org.apache.hadoop.ipc.Client$Connection.access$2100(Client.java:364)
at org.apache.hadoop.ipc.Client$Connection$2.run(Client.java:799)
at org.apache.hadoop.ipc.Client$Connection$2.run(Client.java:795)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.Subject.doAs(Subject.java:422)
at org.apache.hadoop.security.UserGroupInformation.doAs(UserGroupInformation.java:1953)
at org.apache.hadoop.ipc.Client$Connection.setupIOstreams(Client.java:795)
... 47 more
After I restarted the Amoro service using ams.sh restart, querying the iceberg table data worked normally. However, if I continued to click the query button, it would throw the authentication exception mentioned above again.
Interestingly, every time I restarted the service, the first query would succeed, but the N query would fail; then after restarting the service again, the first query would succeed, and the N query would fail...
Affects Versions
0.7.1
What table formats are you seeing the problem on?
Iceberg
What engines are you seeing the problem on?
AMS
How to reproduce
No response
Relevant log output
No response
Anything else
No response
Are you willing to submit a PR?
Code of Conduct
The text was updated successfully, but these errors were encountered: