Presto settings and encryption over the wire...

Presto
Enthusiast

Presto settings and encryption over the wire...

We installed Presto CLI 0.167-t.0.2, and I've added the hive catalog and attempted to access the database and it failed.  At the end is the example of how we connect via Beeline, I would imagine I would need the keystore information in the hive.properties files.  Any suggestions, this part of installing Presto is new to me.

 

Output from Presto CLI:

presto> use hive.default;
presto:default> show tables;
Query 20170504_152640_00005_yibuu failed: Failed connecting to Hive metastore: [<HMS>:9083]

presto:default>

 

Hive.properties:

connector.name=hive-hadoop2
hive.metastore.uri=thrift://HMS:9083
hive.metastore.authentication.type=KERBEROS
hive.metastore.service.principal=hive/HMS@EXAMPLE.COM
hive.metastore.client.principal=presto@EXAMPLE.COM
hive.metastore.client.keytab=/etc/presto/presto.keytab
hive.hdfs.authentication.type=KERBEROS
hive.hdfs.presto.principal=presto@EXAMPLE.COM
hive.hdfs.presto.keytab=/etc/presto/presto.keytab

 

/var/log/presto/server.log (java stack trace removed):

2017-05-04T14:44:06.835Z ERROR Query-20170504_144406_00002_yibuu-2186 org.apache.thrift.transport.TSaslTransport SASL negotiation failure
javax.security.sasl.SaslException: No common protection layer between client and server

 

Beeline command:

!connect jdbc:hive2://HS2:10000/default;principal=hive/_HOST@EXAMPLE.COM;ssl=true;sslTrustStore=/opt/cloudera/security/jks/hdp.truststore;trustStorePassword=<PasswordToTrustStore>

 

  • Presto
Tags (1)
8 REPLIES
Teradata Employee

Re: Presto settings and encryption over the wire...

Hi,

 

Can you explain what you're trying to do? Are you just trying to setup a Kerberized Hive connector? If that's the case then this troubleshooting guide we wrote is a good first step http://community.teradata.com/t5/Presto/Presto-Kerberos-Troubleshooting/m-p/70691. Please read through it and double check all the requirements have been met.

 

Presto only ever connects to the metastore, it never talks to the Hive Server so the Beeline connection string isn't necessarily applicable. Can you show the full stack trace from the Presto server so we know where it's coming from? Also include any errors from the metastore logs.

 

Hope this helps!

Enthusiast

Re: Presto settings and encryption over the wire...

I'm not seeing any Kerberos related errors; below is what I've done so far.

I've created a simple test file, to pass the parameters to presto:

test.sh

#!/binbash

./presto \
--server https://<PrestoCoordinator>:8080 \
--enable-authentication \
--krb5-config-path /etc/krb5.conf \
--krb5-principal <USER>@EXAMPLE.COM \
--krb5-keytab-path /home/<USER>/my.keytab \
--krb5-remote-service-name presto \
--keystore-path /opt/cloudera/security/jks/hdp.truststore \
--keystore-password <password> \
--catalog hive \
--schema default

 

When I attempt to show tables in the default schema, I get the following error message in Presto:

STDOUT:

presto:default> show tables;
Error running command:
javax.net.ssl.SSLHandshakeException: Unrecognized SSL message, plaintext connection?

presto:default> exit

 

/var/log/presto/server.log

2017-05-04T21:36:01.221Z WARN http-worker-3034 org.eclipse.jetty.http.HttpParser Illegal character 0x16 in state=START for buffer HeapByteBuffer@2ae58af8[p=1,l=172,c=8192,r=171]={\x16<<<\x03\x03\x00\xA7\x01\x00\x00\xA3\x03\x03Y\x0b\x9e\xC1\xF9l\xC4...\x01\x04\x02\x03\x03\x03\x01\x03\x02\x02\x03\x02\x01\x02\x02>>>35c.bcidatalake.c...\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00}
2017-05-04T21:36:01.222Z WARN http-worker-3034 org.eclipse.jetty.http.HttpParser bad HTTP parsed: 400 Illegal character 0x16 for HttpChannelOverHttp@294da37b{r=0,c=false,a=IDLE,uri=null}
2017-05-04T21:36:01.234Z WARN http-worker-3037 org.eclipse.jetty.http.HttpParser Illegal character 0x16 in state=START for buffer HeapByteBuffer@540a3c66[p=1,l=172,c=8192,r=171]={\x16<<<\x03\x03\x00\xA7\x01\x00\x00\xA3\x03\x03Y\x0b\x9e\xC1}\xAdk...\x01\x04\x02\x03\x03\x03\x01\x03\x02\x02\x03\x02\x01\x02\x02>>>37\r\n\r\nidatalake.c...\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00}
2017-05-04T21:36:01.234Z WARN http-worker-3037 org.eclipse.jetty.http.HttpParser bad HTTP parsed: 400 Illegal character 0x16 for HttpChannelOverHttp@2151e771{r=0,c=false,a=IDLE,uri=null}
2017-05-04T21:36:05.907Z WARN http-worker-2993 org.eclipse.jetty.http.HttpParser Illegal character 0x16 in state=START for buffer HeapByteBuffer@40b7430d[p=1,l=172,c=8192,r=171]={\x16<<<\x03\x03\x00\xA7\x01\x00\x00\xA3\x03\x03Y\x0b\x9e\xC5\xA7eB...\x01\x04\x02\x03\x03\x03\x01\x03\x02\x02\x03\x02\x01\x02\x02>>>35c.bcidatalake.c...\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00}
2017-05-04T21:36:05.907Z WARN http-worker-2993 org.eclipse.jetty.http.HttpParser bad HTTP parsed: 400 Illegal character 0x16 for HttpChannelOverHttp@379fd13e{r=0,c=false,a=IDLE,uri=null}

Teradata Employee

Re: Presto settings and encryption over the wire...

> I'm not seeing any Kerberos related errors
Yes but often even when you're setting up Kerberos the errors you get have seemingly nothing to do with Kerberos. Can you please tell me what you're trying to do? Are you trying to setup only frontend Kerberos authentication for Presto (by frontend I only mean authenticating the CLI with the Presto coordinator)? Or are you trying to connect to Kerberized Hive? Judging from your hive.properties and cli settings it seems to me like you're trying to do both. Can you confirm?

 

The handshake error you're seeing suggests that the metastore may not have been setup for Kerberos. Did you Kerberize your metastore? I think the variables you need to set in hive-site.xml are these, but you should double check:

"hive.metastore.sasl.enabled": "true",
"hive.metastore.kerberos.principal": "hive/_HOST@EXAMPLE.TERADATA.COM",
"hive.metastore.kerberos.keytab.file": "/etc/security/hive.service.keytab"

 

Also, can you see if there's any useful information in the metastore logs?

Teradata Employee

Re: Presto settings and encryption over the wire...

I think that we don't actually support encryption over the wire to Hive, whether to the Hive server or the metastore.

Enthusiast

Re: Presto settings and encryption over the wire...

Can that be confirmed?  Are there any work arounds which may not be supported that might work?  Not suggesting we do that, but want to give a full picture of the issue.

Teradata Employee

Re: Presto settings and encryption over the wire...

Can you respond to the questions that Anton asked? Andrii, one of our engineers, said that authentication to the metastore happens via SASL, which seems like is what the error relates to. There is just SASL+GSS to connect to the Hive metastore, not SSL.

Enthusiast

Re: Presto settings and encryption over the wire...

Just in case I forgot to add the error messages:

 

STDOUT:

presto:default> show catalogs;
Catalog
---------
hive
system
tpch
(3 rows)

Query 20170508_160905_00002_yibuu, FINISHED, 1 node
Splits: 1 total, 1 done (100.00%)
0:00 [0 rows, 0B] [0 rows/s, 0B/s]

presto:default> show schemas;

Query 20170508_160908_00003_yibuu, FAILED, 2 nodes
Splits: 1 total, 0 done (0.00%)
0:00 [0 rows, 0B] [0 rows/s, 0B/s]

Query 20170508_160908_00003_yibuu failed: Failed connecting to Hive metastore: [<IP_ADDRESS>:9083]

presto:default> show tables;
Query 20170508_160920_00004_yibuu failed: Failed connecting to Hive metastore: [<IP_ADDRESS>:9083]

presto:default>

 

STDERR:

2017-05-08T16:09:20.198Z ERROR Query-20170508_160920_00004_yibuu-13916 org.apache.thrift.transport.TSaslTransport SASL negotiation failure
javax.security.sasl.SaslException: No common protection layer between client and server

Enthusiast

Re: Presto settings and encryption over the wire...

Please disregard the preceeding error message, the issue is still being reported as an SASL error, but the stdout message is different (correct earlier in the thread).