Hive and Hadoop Connections failing in IICS post Fall 2020 Upgrade

Version 3

    ISSUE: The test connection fails with the below error-

    The test connection for Hive/Hadoop failed. Unable to connect to the hadoop file system url 'hdfs://infa'. Cause: java.lang.RuntimeException: [org.apache.hadoop.ipc.RemoteException(org.apache.hadoop.security.authorize.AuthorizationException): User: INFA@MIT1.HADOOP.GSR.COM is not allowed to impersonate infa@MIT1.HADOOP.GSR.COM]

     

     

    The following error message is seen in the tomcat.log-

    ERROR [com.informatica.cci.client.rest.resources.CCIMetadataResource] - Error occured in getMetadata for Org

    java.lang.RuntimeException: org.apache.hive.service.cli.HiveSQLException: Error while compiling statement: FAILED: HiveAccessControlException Permission denied: user [INFA@MIT1.HADOOP.GSR.COM] does not have [USE] privilege on [data_repository]

    at com.informaticallc.adapter.hive.metadata.adapter.HiveMetadataAdapter.populateObjectCatalog(HiveMetadataAdapter.java:117)

    at com.informatica.adapter.sdkadapter.metadata.semantic.consumer.SemanticMetadataAdapter.getObjectCatalog(SemanticMetadataAdapter.java:148)

    at com.informatica.adapter.sdkadapter.metadata.semantic.lwconsumer.SemanticLWCCIClientAdapter.populateObjectCatalog(SemanticLWCCIClientAdapter.java:283)

     

    Caused by: org.apache.hive.service.cli.HiveSQLException: Error while compiling statement: FAILED: HiveAccessControlException Permission denied: user [INFA@MIT1.HADOOP.GSR.COM] does not have [USE] privilege on [data_repository]

    at org.apache.hive.jdbc.Utils.verifySuccess(Utils.java:300)

    at org.apache.hive.jdbc.Utils.verifySuccessWithInfo(Utils.java:286)

     

     

    RESOLUTION:

    To resolve this issue, please follow the steps mentioned below-

    • Shutdown the secure agent.
    • Navigate to the directory- {Agent_Dir}\apps\jdk\1.8.0_252_SA\jre\lib\security
    • Take a backup of the file- 'java.security' outside agent directory (Very Imp)
    • Edit the original 'java.security' file and change the property- sun.security.krb5.disableReferrals from false to true. (set sun.security.krb5.disableReferrals=true).
    • Save the file.
    • Restart the agent.

     

     

    NOTE:

    Additionally if the krb5.conf has the property set for ticket renewal- "renew_lifetime = <n>d" (example: renew_lifetime = 7d), then kindly remove the property or comment it out in the krb5.conf file.

    Or else the connection will fail with the below error (even after changing sun.security.krb5.disableReferrals=true)-

    The test connection for Hive/Hadoop failed. java.lang.RuntimeException: java.lang.reflect.InvocationTargetException

     

    The following error message in seen in the tomcat.log-

    ERROR [com.informatica.saas.toolkit.metadataRead.Dao.PluginModel] - Exception while connecting to the target system

    com.informatica.cloud.api.adapter.connection.ConnectionFailedException: java.lang.RuntimeException: java.lang.reflect.InvocationTargetException

    at com.informatica.cloudlabs.adapter.hive.connection.HiveConnectorConnection.connect(HiveConnectorConnection.java:186)

    at com.informatica.saas.toolkit.metadataRead.Dao.PluginModel.connect(PluginModel.java:79)

    at com.informatica.saas.toolkit.metadataRead.Dao.PluginDao.connect(PluginDao.java:280)

     

    Caused by: java.lang.RuntimeException: java.lang.RuntimeException: java.io.IOException: [Login failure for INFA@MIT1.HADOOP.GSR.COM from keytab /inf/infa.keytab: javax.security.auth.login.LoginException: Message stream modified (41)]

    at com.informatica.platform.dtm.executor.hadoop.impl.AbstractIUserGroupInformationImpl.loginUserFromKeytab(AbstractIUserGroupInformationImpl.java:82)

    ... 51 more