EMR 010 HiveServer2 with LDAPS - qyjohn/AWS_Tutorials GitHub Wiki

In this example, I used ipa.qyjohn.net:636 as my LDAPS server. The LDAPS server is built on RHEL 8.0 with FreeIPA. The following is the RedHat documentation on how to install FreeIPA.

https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html-single/installing_identity_management/index

After setting up FreeIPA as my LDAPS server, I used the following steps to configure HiveServer2 to authenticate with LDAPS:

(1) Extra the self-signed certificates from the LDAPS server.

$ openssl s_client -showcerts -verify 5 -connect ipa.qyjohn.net:636 < /dev/null | awk '/BEGIN/,/END/{ if(/BEGIN/){a++}; out="cert"a".pem"; print >out}' 
verify depth is 5
depth=1 O = QYJOHN.NET, CN = Certificate Authority
verify error:num=19:self signed certificate in certificate chain
verify return:1
depth=1 O = QYJOHN.NET, CN = Certificate Authority
verify return:1
depth=0 O = QYJOHN.NET, CN = ipa.qyjohn.net
verify return:1
DONE

At this point I have extracted two certificate files from the LDAPS server, cert1.pem and cert2.pem.

(2) On EMR, the default key store is /etc/pki/ca-trust/extracted/java/cacerts, the password is "changeit". Before we mess up with the key store, we create a backup of it so that we can always go back to the original version.

$ cd ~
$ cp /etc/pki/ca-trust/extracted/java/cacerts  cacerts.backup

(3) Then we create a copy of the key store file to work on.

$ cd ~
$ cp /etc/pki/ca-trust/extracted/java/cacerts  .

(4) Import the LDAPS certificates into the key store. When the command asks for a password, answer "changeit".

$ sudo keytool -import -trustcacerts -file cert1.pem -keystore cacerts -alias ipa-1
$ sudo keytool -import -trustcacerts -file cert2.pem -keystore cacerts -alias ipa-2

(5) Replace the original key store with our modified version.

$ sudo cp cacerts /etc/pki/ca-trust/extracted/java/cacerts

(6) In /etc/hive/conf/hive-site.xml, I have the following configuration. You will need to modify them using your own parameters:

<property>
  <name>hive.server2.authentication</name>
    <value>LDAP</value>
</property>
<property>
 <name>hive.server2.authentication.ldap.url</name>
   <value>ldaps://ipa.qyjohn.net:636</value>
</property>
<property>
<name>hive.server2.authentication.ldap.baseDN</name>
   <value>cn=users,cn=accounts,dc=qyjohn,dc=net</value>
</property>

(7) Restart HiveServer2.

$ sudo stop hive-server2
$ sudo start hive-server2

(6) Test with beeline.

$ beeline
Beeline version 2.3.5-amzn-1 by Apache Hive
beeline> !connect jdbc:hive2://ip-172-32-7-245:10000/
Connecting to jdbc:hive2://ip-172-32-7-245:10000/
Enter username for jdbc:hive2://ip-172-32-7-245:10000/: username
Enter password for jdbc:hive2://ip-172-32-7-245:10000/: *********
Connected to: Apache Hive (version 2.3.5-amzn-1)
Driver: Hive JDBC (version 2.3.5-amzn-1)
Transaction isolation: TRANSACTION_REPEATABLE_READ
0: jdbc:hive2://ip-172-32-7-245:10000/>

(7) If the LDAPS certificates are not properly installed, you will see the following output in beeline, indicating a failure in authentication (Error validating the login).

$ beeline
Beeline version 2.3.5-amzn-1 by Apache Hive
beeline> !connect jdbc:hive2://ip-172-32-7-245:10000/
Connecting to jdbc:hive2://ip-172-32-7-245:10000/
Enter username for jdbc:hive2://ip-172-32-7-245:10000/: username
Enter password for jdbc:hive2://ip-172-32-7-245:10000/: *********
19/11/04 23:40:54 [main]: WARN jdbc.HiveConnection: Failed to connect to ip-172-32-7-245:10000
Unknown HS2 problem when communicating with Thrift server.
Error: Could not open client transport with JDBC Uri: jdbc:hive2://ip-172-32-7-245:10000/: Peer indicated failure: Error validating the login (state=08S01,code=0)

You will also find error messages like the following in /var/log/hive/hive-server2.log:

2019-11-04T23:40:54,822 ERROR [HiveServer2-Handler-Pool: Thread-31([])]: transport.TSaslTransport (TSaslTransport.java:open(315)) - SASL negotiation failure
javax.security.sasl.SaslException: Error validating the login
	at org.apache.hive.service.auth.PlainSaslServer.evaluateResponse(PlainSaslServer.java:110) ~[hive-service-2.3.5-amzn-1.jar:2.3.5-amzn-1]
	at org.apache.thrift.transport.TSaslTransport$SaslParticipant.evaluateChallengeOrResponse(TSaslTransport.java:539) ~[hive-exec-2.3.5-amzn-1.jar:2.3.5-amzn-1]
	at org.apache.thrift.transport.TSaslTransport.open(TSaslTransport.java:283) [hive-exec-2.3.5-amzn-1.jar:2.3.5-amzn-1]
	at org.apache.thrift.transport.TSaslServerTransport.open(TSaslServerTransport.java:41) [hive-exec-2.3.5-amzn-1.jar:2.3.5-amzn-1]
	at org.apache.thrift.transport.TSaslServerTransport$Factory.getTransport(TSaslServerTransport.java:216) [hive-exec-2.3.5-amzn-1.jar:2.3.5-amzn-1]
	at org.apache.thrift.server.TThreadPoolServer$WorkerProcess.run(TThreadPoolServer.java:269) [hive-exec-2.3.5-amzn-1.jar:2.3.5-amzn-1]
	at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) [?:1.8.0_222]
	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) [?:1.8.0_222]
	at java.lang.Thread.run(Thread.java:748) [?:1.8.0_222]
Caused by: javax.security.sasl.AuthenticationException: Error validating LDAP user
	at org.apache.hive.service.auth.ldap.LdapSearchFactory.getInstance(LdapSearchFactory.java:48) ~[hive-service-2.3.5-amzn-1.jar:2.3.5-amzn-1]
	at org.apache.hive.service.auth.LdapAuthenticationProviderImpl.createDirSearch(LdapAuthenticationProviderImpl.java:92) ~[hive-service-2.3.5-amzn-1.jar:2.3.5-amzn-1]
	at org.apache.hive.service.auth.LdapAuthenticationProviderImpl.Authenticate(LdapAuthenticationProviderImpl.java:72) ~[hive-service-2.3.5-amzn-1.jar:2.3.5-amzn-1]
	at org.apache.hive.service.auth.PlainSaslHelper$PlainServerCallbackHandler.handle(PlainSaslHelper.java:107) ~[hive-service-2.3.5-amzn-1.jar:2.3.5-amzn-1]
	at org.apache.hive.service.auth.PlainSaslServer.evaluateResponse(PlainSaslServer.java:103) ~[hive-service-2.3.5-amzn-1.jar:2.3.5-amzn-1]
	... 8 more
Caused by: javax.naming.CommunicationException: simple bind failed: ipa.qyjohn.net:636
	at com.sun.jndi.ldap.LdapClient.authenticate(LdapClient.java:219) ~[?:1.8.0_222]
	at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2791) ~[?:1.8.0_222]
... ...
Caused by: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unab
le to find valid certification path to requested target
	at sun.security.ssl.Alerts.getSSLException(Alerts.java:192) ~[?:1.8.0_222]
	at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1946) ~[?:1.8.0_222]
... ...
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
	at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:397) ~[?:1.8.0_222]
	at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:302) ~[?:1.8.0_222]
... ...
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
	at sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:141) ~[?:1.8.0_222]
	at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:126) ~[?:1.8.0_222]
... ...
2019-11-04T23:40:54,829 ERROR [HiveServer2-Handler-Pool: Thread-31([])]: server.TThreadPoolServer (TThreadPoolServer.java:run(297)) - Error occurred during processing of message.
java.lang.RuntimeException: org.apache.thrift.transport.TTransportException: Error validating the login
	at org.apache.thrift.transport.TSaslServerTransport$Factory.getTransport(TSaslServerTransport.java:219) ~[hive-exec-2.3.5-amzn-1.jar:2.3.5-amzn-1]
	at org.apache.thrift.server.TThreadPoolServer$WorkerProcess.run(TThreadPoolServer.java:269) [hive-exec-2.3.5-amzn-1.jar:2.3.5-amzn-1]
	at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) [?:1.8.0_222]
	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) [?:1.8.0_222]
	at java.lang.Thread.run(Thread.java:748) [?:1.8.0_222]
Caused by: org.apache.thrift.transport.TTransportException: Error validating the login
	at org.apache.thrift.transport.TSaslTransport.sendAndThrowMessage(TSaslTransport.java:232) ~[hive-exec-2.3.5-amzn-1.jar:2.3.5-amzn-1]
	at org.apache.thrift.transport.TSaslTransport.open(TSaslTransport.java:316) ~[hive-exec-2.3.5-amzn-1.jar:2.3.5-amzn-1]
	at org.apache.thrift.transport.TSaslServerTransport.open(TSaslServerTransport.java:41) ~[hive-exec-2.3.5-amzn-1.jar:2.3.5-amzn-1]
	at org.apache.thrift.transport.TSaslServerTransport$Factory.getTransport(TSaslServerTransport.java:216) ~[hive-exec-2.3.5-amzn-1.jar:2.3.5-amzn-1]
	... 4 more
⚠️ **GitHub.com Fallback** ⚠️