After a CDH cluster is enabled with Kerberos, by default, HiveServer2’s web UI will also be enabled with SPNEGO, sometimes it will cause HiveServer2’s web UI to reject user’s request with below error:

GSSException: Failure unspecified at GSS-API level (Mechanism level: Request is a replay (34))

This can happen when Kerberos has detected that user is trying to authenticate twice within a short amount of time using the same principal and it might be caused by the redirect happens behind the scene when HiveServer2 tries to load the page.

There is a simple workaround. All you need to do is to go to either http://{hiveserve2-url}:10002/index.html or http://{hiveserve2-url}:10002/hiveserver2.jsp, and HiveServer2’s web UI will be returned successfully. I have tested and confirmed it is working.

However, for those of you still hit this issue after this workaround, then you might need to consider disabling SPNEGO for HiveServer2’s web UI. Go to Cloudera Manager > Hive > Configuration > “HiveServer2 Advanced Configuration Snippet (Safety Valve) for hive-site.xml” and enter below details:

<property>
  <name>hive.server2.webui.use.spnego</name>
  <value>false</value>
  <description>Disable SPNEGO for Hive web UI</description>
</property>

Then restart HiveServer2.

Please note that the issue was reported in the upstream Hive JIRA, please refer to HIVE-14984, it has been fixed since CDH 6.2.0 and above.

Leave a Reply

Your email address will not be published. Required fields are marked *