Specified version of key is not available (44)

2019-01-02 14:14:45,161 ERROR [HiveServer2-Handler-Pool: Thread-37]: transport.TSaslTransport (TSaslTransport.java:open(315)) - SASL negotiation failure
javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: Failure unspecified at GSS-API level (Mechanism level: Specified version of key is not available (44))]
    at com.sun.security.sasl.gsskerb.GssKrb5Server.evaluateResponse(GssKrb5Server.java:177)
    at org.apache.thrift.transport.TSaslTransport$SaslParticipant.evaluateChallengeOrResponse(TSaslTransport.java:539)
    at org.apache.thrift.transport.TSaslTransport.open(TSaslTransport.java:283)
    at org.apache.thrift.transport.TSaslServerTransport.open(TSaslServerTransport.java:41)
    at org.apache.thrift.transport.TSaslServerTransport$Factory.getTransport(TSaslServerTransport.java:216)
    at org.apache.hadoop.hive.thrift.HadoopThriftAuthBridge$Server$TUGIAssumingTransportFactory$1.run(HadoopThriftAuthBridge.java:739)
    at org.apache.hadoop.hive.thrift.HadoopThriftAuthBridge$Server$TUGIAssumingTransportFactory$1.run(HadoopThriftAuthBridge.java:736)
    at java.security.AccessController.doPrivileged(Native Method)
    at javax.security.auth.Subject.doAs(Subject.java:356)
    at org.apache.hadoop.security.UserGroupInformation.doAs(UserGroupInformation.java:1673)
    at org.apache.hadoop.hive.thrift.HadoopThriftAuthBridge$Server$TUGIAssumingTransportFactory.getTransport(HadoopThriftAuthBridge.java:736)
    at org.apache.thrift.server.TThreadPoolServer$WorkerProcess.run(TThreadPoolServer.java:268)
    at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
    at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
    at java.lang.Thread.run(Thread.java:745)
Caused by: GSSException: Failure unspecified at GSS-API level (Mechanism level: Specified version of key is not available (44))
    at sun.security.jgss.krb5.Krb5Context.acceptSecContext(Krb5Context.java:788)
    at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:342)
    at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:285)
    at com.sun.security.sasl.gsskerb.GssKrb5Server.evaluateResponse(GssKrb5Server.java:155)
    ... 14 more
Caused by: KrbException: Specified version of key is not available (44)
    at sun.security.krb5.EncryptionKey.findKey(EncryptionKey.java:588)
    at sun.security.krb5.KrbApReq.authenticate(KrbApReq.java:270)
    at sun.security.krb5.KrbApReq.<init>(KrbApReq.java:144)
    at sun.security.jgss.krb5.InitSecContextToken.<init>(InitSecContextToken.java:108)
    at sun.security.jgss.krb5.Krb5Context.acceptSecContext(Krb5Context.java:771)
    ... 17 more

 先貼個比較搞笑的錯誤

這個錯誤字面上意思是說, Specified version of key is not available,指定版本的key不可用,我就奇了怪了我哪裏指定key了,找度娘幫忙,找到一個貌似解釋還能夠的答案:https://stackoverflow.com/questions/24511812/krbexception-specified-version-of-key-is-not-available-44

答案:

意思是說,keytab文件的版本號和kerberos中的版本號不一致致使的,須要在建立keytab文件時加上參數跳過該檢查.我去實驗了這個辦法,在服務端和客戶端比對keytab版本號,直到一直,然並卵仍是報這個錯誤,直到我打開debug日誌,才發現緣由並非這樣子的.

打開debug日誌只要修改日誌文件就行了:

vi apache-hive-1.2.0-bin/conf/hive-log4j.properties

改成debug,就會發現有一個提示:在說驗證的kerberos用戶不一樣,最後證實是個人鏈接串寫錯了:

jdbc鏈接串:

jdbc:hive2://10.1.4.32:10000/default;principal=udap/host32@STA.COM

beeline鏈接串:

!connect jdbc:hive2://10.1.4.32:10000/default;principal=udap/host32@STA.COM

個人錯誤在於把鏈接串的後面principle當作了自定義用戶,好比:

!connect jdbc:hive2://10.1.4.32:10000/default;principal=garfield/host32@STA.COM

這樣子就會報上面那個錯

done