Hue-4.9.0 can't load hive database and print error "Bad status: 3 (GSS initiate failed) (code THRIFTTRANSPORT): TTransportException('Bad status: 3 (GSS initiate failed)',)"

Hi,
When I use Hue 4.9.0 to access Hive in the Kerberos security authentication environment, an error occurs. This problem has been bothering me for days. Who can help me?
Error message is “Bad status: 3 (GSS initiate failed) (code THRIFTTRANSPORT): TTransportException(‘Bad status: 3 (GSS initiate failed)’,)”.
image
and my configuration is as follows:

[beeswax]

  # Host where HiveServer2 is running.
  # If Kerberos security is enabled, use fully-qualified domain name (FQDN).
  hive_server_host=k8s-dev-8-207

  # Binary thrift port for HiveServer2.
  hive_server_port=10000

  # Http thrift port for HiveServer2.
  ## hive_server_http_port=10001

  # Host where LLAP is running
  ## llap_server_host = localhost

  # LLAP binary thrift port
  ## llap_server_port = 10500

  # LLAP HTTP Thrift port
  ## llap_server_thrift_port = 10501

  # Alternatively, use Service Discovery for LLAP (Hive Server Interactive) and/or Hiveserver2, this will override server and thrift port

  # Whether to use Service Discovery for LLAP
  ## hive_discovery_llap = true

  # is llap (hive server interactive) running in an HA configuration (more than 1)
  # important as the zookeeper structure is different
  ## hive_discovery_llap_ha = false

  # Shortcuts to finding LLAP znode Key
  # Non-HA - hiveserver-interactive-site - hive.server2.zookeeper.namespace ex hive2 = /hive2
  # HA-NonKerberized - (llap_app_name_llap) ex app name llap0 = /llap0_llap
  # HA-Kerberized - (llap_app_name_llap)-sasl ex app name llap0 = /llap0_llap-sasl
  ## hive_discovery_llap_znode = /hiveserver2-hive2

  # Whether to use Service Discovery for HiveServer2
  ## hive_discovery_hs2 = true

  # Hiveserver2 is hive-site hive.server2.zookeeper.namespace ex hiveserver2 = /hiverserver2
  ## hive_discovery_hiveserver2_znode = /hiveserver2

  # Applicable only for LLAP HA
  # To keep the load on zookeeper to a minimum
  # ---- we cache the LLAP activeEndpoint for the cache_timeout period
  # ---- we cache the hiveserver2 endpoint for the length of session
  # configurations to set the time between zookeeper checks
  ## cache_timeout = 60

  # Host where Hive Metastore Server (HMS) is running.
  # If Kerberos security is enabled, the fully-qualified domain name (FQDN) is required.
  ## hive_metastore_host=localhost

  # Configure the port the Hive Metastore Server runs on.
  ## hive_metastore_port=9083

  # Hive configuration directory, where hive-site.xml is located
  hive_conf_dir=/usr/bch/current/hive-server2/conf

  # Timeout in seconds for thrift calls to Hive service
  server_conn_timeout=120

  # Choose whether to use the old GetLog() thrift call from before Hive 0.14 to retrieve the logs.
  # If false, use the FetchResults() thrift call from Hive 1.0 or more instead.
  use_get_log_api=False

  # Limit the number of partitions that can be listed.
  list_partitions_limit=10000

  # The maximum number of partitions that will be included in the SELECT * LIMIT sample query for partitioned tables.
  query_partitions_limit=10

  # A limit to the number of rows that can be downloaded from a query before it is truncated.
  # A value of -1 means there will be no limit.
  ## download_row_limit=100000

  # A limit to the number of bytes that can be downloaded from a query before it is truncated.
  # A value of -1 means there will be no limit.
  ## download_bytes_limit=-1

  # Hue will try to close the Hive query when the user leaves the editor page.
  # This will free all the query resources in HiveServer2, but also make its results inaccessible.
  close_queries=False

  # Hue will use at most this many HiveServer2 sessions per user at a time.
  # For Tez, increase the number to more if you need more than one query at the time, e.g. 2 or 3 (Tez has a maximum of 1 query by session).
  # -1 is unlimited number of sessions.
  ## max_number_of_sessions=1

  # When set to True, Hue will close sessions created for background queries and open new ones as needed.
  # When set to False, Hue will keep sessions created for background queries opened and reuse them as needed.
  # This flag is useful when max_number_of_sessions != 1
  ## close_sessions=max_number_of_sessions != 1

  # Thrift version to use when communicating with HiveServer2.
  # Version 11 comes with Hive 3.0. If issues, try 7.
  thrift_version=11

  # A comma-separated list of white-listed Hive configuration properties that users are authorized to set.
  config_whitelist=hive.map.aggr,hive.exec.compress.output,hive.exec.parallel,hive.execution.engine,mapreduce.job.queuename

  # Override the default desktop username and password of the hue user used for authentications with other services.
  # e.g. Used for LDAP/PAM pass-through authentication.
  auth_username=admin
  auth_password="admin"

  # Use SASL framework to establish connection to host.
  ## use_sasl=false

  [[ssl]]
# Path to Certificate Authority certificates.
cacerts=/etc/hue/cacerts.pem

# Choose whether Hue should validate certificates received from the server.
validate=True

This is kerberos configurations:

  [[kerberos]]
    # Path to Hue's Kerberos keytab file
    hue_keytab=/etc/security/keytabs/hue.service.keytab
    # Kerberos principal name for Hue
    hue_principal=hue/k8s-dev-8-207@BCHKDC
    # Path to kinit
    kinit_path=/usr/bin/kinit

here is hiveserver2.log:

2021-09-17T08:18:07,328 ERROR [HiveServer2-Handler-Pool: Thread-88]: transport.TSaslTransport (:()) - SASL negotiation failure
javax.security.sasl.SaslException: GSS initiate failed
        at com.sun.security.sasl.gsskerb.GssKrb5Server.evaluateResponse(GssKrb5Server.java:199) ~[?:1.8.0_112]
        at org.apache.thrift.transport.TSaslTransport$SaslParticipant.evaluateChallengeOrResponse(TSaslTransport.java:539) ~[hive-exec-3.1.0-bc3.3.0.jar:3.1.0-bc3.3.0]
        at org.apache.thrift.transport.TSaslTransport.open(TSaslTransport.java:283) ~[hive-exec-3.1.0-bc3.3.0.jar:3.1.0-bc3.3.0]
        at org.apache.thrift.transport.TSaslServerTransport.open(TSaslServerTransport.java:41) ~[hive-exec-3.1.0-bc3.3.0.jar:3.1.0-bc3.3.0]
        at org.apache.thrift.transport.TSaslServerTransport$Factory.getTransport(TSaslServerTransport.java:216) ~[hive-exec-3.1.0-bc3.3.0.jar:3.1.0-bc3.3.0]
        at org.apache.hadoop.hive.metastore.security.HadoopThriftAuthBridge$Server$TUGIAssumingTransportFactory$1.run(HadoopThriftAuthBridge.java:694) ~[hive-exec-3.1.0-bc3.3.0.jar:3.1.0-bc3.3.0]
        at org.apache.hadoop.hive.metastore.security.HadoopThriftAuthBridge$Server$TUGIAssumingTransportFactory$1.run(HadoopThriftAuthBridge.java:691) ~[hive-exec-3.1.0-bc3.3.0.jar:3.1.0-bc3.3.0]
        at java.security.AccessController.doPrivileged(Native Method) ~[?:1.8.0_112]
        at javax.security.auth.Subject.doAs(Subject.java:360) ~[?:1.8.0_112]
        at org.apache.hadoop.security.UserGroupInformation.doAs(UserGroupInformation.java:1665) ~[hadoop-common-3.1.0-bc3.3.0.jar:?]
        at org.apache.hadoop.hive.metastore.security.HadoopThriftAuthBridge$Server$TUGIAssumingTransportFactory.getTransport(HadoopThriftAuthBridge.java:691) ~[hive-exec-3.1.0-bc3.3.0.jar:3.1.0-bc3.3.0]
        at org.apache.thrift.server.TThreadPoolServer$WorkerProcess.run(TThreadPoolServer.java:269) ~[hive-exec-3.1.0-bc3.3.0.jar:3.1.0-bc3.3.0]
        at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) ~[?:1.8.0_112]
        at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) ~[?:1.8.0_112]
        at java.lang.Thread.run(Thread.java:745) [?:1.8.0_112]
Caused by: org.ietf.jgss.GSSException: Failure unspecified at GSS-API level (Mechanism level: Checksum failed)
        at sun.security.jgss.krb5.Krb5Context.acceptSecContext(Krb5Context.java:856) ~[?:1.8.0_112]
        at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:342) ~[?:1.8.0_112]
        at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:285) ~[?:1.8.0_112]
        at com.sun.security.sasl.gsskerb.GssKrb5Server.evaluateResponse(GssKrb5Server.java:167) ~[?:1.8.0_112]
        ... 14 more
Caused by: sun.security.krb5.KrbCryptoException: Checksum failed
        at sun.security.krb5.internal.crypto.Des3CbcHmacSha1KdEType.decrypt(Des3CbcHmacSha1KdEType.java:96) ~[?:1.8.0_112]
        at sun.security.krb5.internal.crypto.Des3CbcHmacSha1KdEType.decrypt(Des3CbcHmacSha1KdEType.java:88) ~[?:1.8.0_112]
        at sun.security.krb5.EncryptedData.decrypt(EncryptedData.java:175) ~[?:1.8.0_112]
        at sun.security.krb5.KrbApReq.authenticate(KrbApReq.java:281) ~[?:1.8.0_112]
        at sun.security.krb5.KrbApReq.<init>(KrbApReq.java:149) ~[?:1.8.0_112]
        at sun.security.jgss.krb5.InitSecContextToken.<init>(InitSecContextToken.java:108) ~[?:1.8.0_112]
        at sun.security.jgss.krb5.Krb5Context.acceptSecContext(Krb5Context.java:829) ~[?:1.8.0_112]
        at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:342) ~[?:1.8.0_112]
        at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:285) ~[?:1.8.0_112]
        at com.sun.security.sasl.gsskerb.GssKrb5Server.evaluateResponse(GssKrb5Server.java:167) ~[?:1.8.0_112]
        ... 14 more
Caused by: java.security.GeneralSecurityException: Checksum failed
        at sun.security.krb5.internal.crypto.dk.DkCrypto.decrypt(DkCrypto.java:362) ~[?:1.8.0_112]
        at sun.security.krb5.internal.crypto.Des3.decrypt(Des3.java:79) ~[?:1.8.0_112]
        at sun.security.krb5.internal.crypto.Des3CbcHmacSha1KdEType.decrypt(Des3CbcHmacSha1KdEType.java:94) ~[?:1.8.0_112]
        at sun.security.krb5.internal.crypto.Des3CbcHmacSha1KdEType.decrypt(Des3CbcHmacSha1KdEType.java:88) ~[?:1.8.0_112]
        at sun.security.krb5.EncryptedData.decrypt(EncryptedData.java:175) ~[?:1.8.0_112]
        at sun.security.krb5.KrbApReq.authenticate(KrbApReq.java:281) ~[?:1.8.0_112]
        at sun.security.krb5.KrbApReq.<init>(KrbApReq.java:149) ~[?:1.8.0_112]
        at sun.security.jgss.krb5.InitSecContextToken.<init>(InitSecContextToken.java:108) ~[?:1.8.0_112]
        at sun.security.jgss.krb5.Krb5Context.acceptSecContext(Krb5Context.java:829) ~[?:1.8.0_112]
        at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:342) ~[?:1.8.0_112]
        at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:285) ~[?:1.8.0_112]
        at com.sun.security.sasl.gsskerb.GssKrb5Server.evaluateResponse(GssKrb5Server.java:167) ~[?:1.8.0_112]
        ... 14 more
2021-09-17T08:18:07,329 ERROR [HiveServer2-Handler-Pool: Thread-88]: server.TThreadPoolServer (:()) - Error occurred during processing of message.
java.lang.RuntimeException: org.apache.thrift.transport.TTransportException: GSS initiate failed
        at org.apache.thrift.transport.TSaslServerTransport$Factory.getTransport(TSaslServerTransport.java:219) ~[hive-exec-3.1.0-bc3.3.0.jar:3.1.0-bc3.3.0]
        at org.apache.hadoop.hive.metastore.security.HadoopThriftAuthBridge$Server$TUGIAssumingTransportFactory$1.run(HadoopThriftAuthBridge.java:694) ~[hive-exec-3.1.0-bc3.3.0.jar:3.1.0-bc3.3.0]
        at org.apache.hadoop.hive.metastore.security.HadoopThriftAuthBridge$Server$TUGIAssumingTransportFactory$1.run(HadoopThriftAuthBridge.java:691) ~[hive-exec-3.1.0-bc3.3.0.jar:3.1.0-bc3.3.0]
        at java.security.AccessController.doPrivileged(Native Method) ~[?:1.8.0_112]
        at javax.security.auth.Subject.doAs(Subject.java:360) ~[?:1.8.0_112]
        at org.apache.hadoop.security.UserGroupInformation.doAs(UserGroupInformation.java:1665) ~[hadoop-common-3.1.0-bc3.3.0.jar:?]
        at org.apache.hadoop.hive.metastore.security.HadoopThriftAuthBridge$Server$TUGIAssumingTransportFactory.getTransport(HadoopThriftAuthBridge.java:691) ~[hive-exec-3.1.0-bc3.3.0.jar:3.1.0-bc3.3.0]
        at org.apache.thrift.server.TThreadPoolServer$WorkerProcess.run(TThreadPoolServer.java:269) ~[hive-exec-3.1.0-bc3.3.0.jar:3.1.0-bc3.3.0]
        at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) ~[?:1.8.0_112]
        at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) ~[?:1.8.0_112]
        at java.lang.Thread.run(Thread.java:745) [?:1.8.0_112]
Caused by: org.apache.thrift.transport.TTransportException: GSS initiate failed
        at org.apache.thrift.transport.TSaslTransport.sendAndThrowMessage(TSaslTransport.java:232) ~[hive-exec-3.1.0-bc3.3.0.jar:3.1.0-bc3.3.0]
        at org.apache.thrift.transport.TSaslTransport.open(TSaslTransport.java:316) ~[hive-exec-3.1.0-bc3.3.0.jar:3.1.0-bc3.3.0]
        at org.apache.thrift.transport.TSaslServerTransport.open(TSaslServerTransport.java:41) ~[hive-exec-3.1.0-bc3.3.0.jar:3.1.0-bc3.3.0]
        at org.apache.thrift.transport.TSaslServerTransport$Factory.getTransport(TSaslServerTransport.java:216) ~[hive-exec-3.1.0-bc3.3.0.jar:3.1.0-bc3.3.0]
        ... 10 more
2021-09-17T08:18:07,330 ERROR [HiveServer2-Handler-Pool: Thread-87]: transport.TSaslTransport (:()) - SASL negotiation failure
javax.security.sasl.SaslException: GSS initiate failed
        at com.sun.security.sasl.gsskerb.GssKrb5Server.evaluateResponse(GssKrb5Server.java:199) ~[?:1.8.0_112]
        at org.apache.thrift.transport.TSaslTransport$SaslParticipant.evaluateChallengeOrResponse(TSaslTransport.java:539) ~[hive-exec-3.1.0-bc3.3.0.jar:3.1.0-bc3.3.0]
        at org.apache.thrift.transport.TSaslTransport.open(TSaslTransport.java:283) ~[hive-exec-3.1.0-bc3.3.0.jar:3.1.0-bc3.3.0]
        at org.apache.thrift.transport.TSaslServerTransport.open(TSaslServerTransport.java:41) ~[hive-exec-3.1.0-bc3.3.0.jar:3.1.0-bc3.3.0]
        at org.apache.thrift.transport.TSaslServerTransport$Factory.getTransport(TSaslServerTransport.java:216) ~[hive-exec-3.1.0-bc3.3.0.jar:3.1.0-bc3.3.0]
        at org.apache.hadoop.hive.metastore.security.HadoopThriftAuthBridge$Server$TUGIAssumingTransportFactory$1.run(HadoopThriftAuthBridge.java:694) ~[hive-exec-3.1.0-bc3.3.0.jar:3.1.0-bc3.3.0]
        at org.apache.hadoop.hive.metastore.security.HadoopThriftAuthBridge$Server$TUGIAssumingTransportFactory$1.run(HadoopThriftAuthBridge.java:691) ~[hive-exec-3.1.0-bc3.3.0.jar:3.1.0-bc3.3.0]
        at java.security.AccessController.doPrivileged(Native Method) ~[?:1.8.0_112]
        at javax.security.auth.Subject.doAs(Subject.java:360) ~[?:1.8.0_112]
        at org.apache.hadoop.security.UserGroupInformation.doAs(UserGroupInformation.java:1665) ~[hadoop-common-3.1.0-bc3.3.0.jar:?]
        at org.apache.hadoop.hive.metastore.security.HadoopThriftAuthBridge$Server$TUGIAssumingTransportFactory.getTransport(HadoopThriftAuthBridge.java:691) ~[hive-exec-3.1.0-bc3.3.0.jar:3.1.0-bc3.3.0]
        at org.apache.thrift.server.TThreadPoolServer$WorkerProcess.run(TThreadPoolServer.java:269) ~[hive-exec-3.1.0-bc3.3.0.jar:3.1.0-bc3.3.0]
        at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) ~[?:1.8.0_112]
        at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) ~[?:1.8.0_112]
        at java.lang.Thread.run(Thread.java:745) [?:1.8.0_112]
Caused by: org.ietf.jgss.GSSException: Failure unspecified at GSS-API level (Mechanism level: Checksum failed)
        at sun.security.jgss.krb5.Krb5Context.acceptSecContext(Krb5Context.java:856) ~[?:1.8.0_112]
        at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:342) ~[?:1.8.0_112]
        at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:285) ~[?:1.8.0_112]
        at com.sun.security.sasl.gsskerb.GssKrb5Server.evaluateResponse(GssKrb5Server.java:167) ~[?:1.8.0_112]
        ... 14 more
Caused by: sun.security.krb5.KrbCryptoException: Checksum failed
        at sun.security.krb5.internal.crypto.Des3CbcHmacSha1KdEType.decrypt(Des3CbcHmacSha1KdEType.java:96) ~[?:1.8.0_112]
        at sun.security.krb5.internal.crypto.Des3CbcHmacSha1KdEType.decrypt(Des3CbcHmacSha1KdEType.java:88) ~[?:1.8.0_112]
        at sun.security.krb5.EncryptedData.decrypt(EncryptedData.java:175) ~[?:1.8.0_112]
        at sun.security.krb5.KrbApReq.authenticate(KrbApReq.java:281) ~[?:1.8.0_112]
        at sun.security.krb5.KrbApReq.<init>(KrbApReq.java:149) ~[?:1.8.0_112]
        at sun.security.jgss.krb5.InitSecContextToken.<init>(InitSecContextToken.java:108) ~[?:1.8.0_112]
        at sun.security.jgss.krb5.Krb5Context.acceptSecContext(Krb5Context.java:829) ~[?:1.8.0_112]
        at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:342) ~[?:1.8.0_112]
        at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:285) ~[?:1.8.0_112]
        at com.sun.security.sasl.gsskerb.GssKrb5Server.evaluateResponse(GssKrb5Server.java:167) ~[?:1.8.0_112]
        ... 14 more
Caused by: java.security.GeneralSecurityException: Checksum failed
        at sun.security.krb5.internal.crypto.dk.DkCrypto.decrypt(DkCrypto.java:362) ~[?:1.8.0_112]
        at sun.security.krb5.internal.crypto.Des3.decrypt(Des3.java:79) ~[?:1.8.0_112]
        at sun.security.krb5.internal.crypto.Des3CbcHmacSha1KdEType.decrypt(Des3CbcHmacSha1KdEType.java:94) ~[?:1.8.0_112]
        at sun.security.krb5.internal.crypto.Des3CbcHmacSha1KdEType.decrypt(Des3CbcHmacSha1KdEType.java:88) ~[?:1.8.0_112]
        at sun.security.krb5.EncryptedData.decrypt(EncryptedData.java:175) ~[?:1.8.0_112]
        at sun.security.krb5.KrbApReq.authenticate(KrbApReq.java:281) ~[?:1.8.0_112]
        at sun.security.krb5.KrbApReq.<init>(KrbApReq.java:149) ~[?:1.8.0_112]
        at sun.security.jgss.krb5.InitSecContextToken.<init>(InitSecContextToken.java:108) ~[?:1.8.0_112]
        at sun.security.jgss.krb5.Krb5Context.acceptSecContext(Krb5Context.java:829) ~[?:1.8.0_112]
        at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:342) ~[?:1.8.0_112]
        at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:285) ~[?:1.8.0_112]
        at com.sun.security.sasl.gsskerb.GssKrb5Server.evaluateResponse(GssKrb5Server.java:167) ~[?:1.8.0_112]
        ... 14 more
2021-09-17T08:18:07,330 ERROR [HiveServer2-Handler-Pool: Thread-87]: server.TThreadPoolServer (:()) - Error occurred during processing of message.
java.lang.RuntimeException: org.apache.thrift.transport.TTransportException: GSS initiate failed
        at org.apache.thrift.transport.TSaslServerTransport$Factory.getTransport(TSaslServerTransport.java:219) ~[hive-exec-3.1.0-bc3.3.0.jar:3.1.0-bc3.3.0]
        at org.apache.hadoop.hive.metastore.security.HadoopThriftAuthBridge$Server$TUGIAssumingTransportFactory$1.run(HadoopThriftAuthBridge.java:694) ~[hive-exec-3.1.0-bc3.3.0.jar:3.1.0-bc3.3.0]
        at org.apache.hadoop.hive.metastore.security.HadoopThriftAuthBridge$Server$TUGIAssumingTransportFactory$1.run(HadoopThriftAuthBridge.java:691) ~[hive-exec-3.1.0-bc3.3.0.jar:3.1.0-bc3.3.0]
        at java.security.AccessController.doPrivileged(Native Method) ~[?:1.8.0_112]
        at javax.security.auth.Subject.doAs(Subject.java:360) ~[?:1.8.0_112]
        at org.apache.hadoop.security.UserGroupInformation.doAs(UserGroupInformation.java:1665) ~[hadoop-common-3.1.0-bc3.3.0.jar:?]
        at org.apache.hadoop.hive.metastore.security.HadoopThriftAuthBridge$Server$TUGIAssumingTransportFactory.getTransport(HadoopThriftAuthBridge.java:691) ~[hive-exec-3.1.0-bc3.3.0.jar:3.1.0-bc3.3.0]
        at org.apache.thrift.server.TThreadPoolServer$WorkerProcess.run(TThreadPoolServer.java:269) ~[hive-exec-3.1.0-bc3.3.0.jar:3.1.0-bc3.3.0]
        at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) ~[?:1.8.0_112]
        at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) ~[?:1.8.0_112]
        at java.lang.Thread.run(Thread.java:745) [?:1.8.0_112]
Caused by: org.apache.thrift.transport.TTransportException: GSS initiate failed
        at org.apache.thrift.transport.TSaslTransport.sendAndThrowMessage(TSaslTransport.java:232) ~[hive-exec-3.1.0-bc3.3.0.jar:3.1.0-bc3.3.0]
        at org.apache.thrift.transport.TSaslTransport.open(TSaslTransport.java:316) ~[hive-exec-3.1.0-bc3.3.0.jar:3.1.0-bc3.3.0]
        at org.apache.thrift.transport.TSaslServerTransport.open(TSaslServerTransport.java:41) ~[hive-exec-3.1.0-bc3.3.0.jar:3.1.0-bc3.3.0]
        at org.apache.thrift.transport.TSaslServerTransport$Factory.getTransport(TSaslServerTransport.java:216) ~[hive-exec-3.1.0-bc3.3.0.jar:3.1.0-bc3.3.0]
        ... 10 more
2021-09-17T08:18:07,332 ERROR [HiveServer2-Handler-Pool: Thread-87]: transport.TSaslTransport (:()) - SASL negotiation failure
javax.security.sasl.SaslException: GSS initiate failed
        at com.sun.security.sasl.gsskerb.GssKrb5Server.evaluateResponse(GssKrb5Server.java:199) ~[?:1.8.0_112]
        at org.apache.thrift.transport.TSaslTransport$SaslParticipant.evaluateChallengeOrResponse(TSaslTransport.java:539) ~[hive-exec-3.1.0-bc3.3.0.jar:3.1.0-bc3.3.0]
        at org.apache.thrift.transport.TSaslTransport.open(TSaslTransport.java:283) ~[hive-exec-3.1.0-bc3.3.0.jar:3.1.0-bc3.3.0]
        at org.apache.thrift.transport.TSaslServerTransport.open(TSaslServerTransport.java:41) ~[hive-exec-3.1.0-bc3.3.0.jar:3.1.0-bc3.3.0]
        at org.apache.thrift.transport.TSaslServerTransport$Factory.getTransport(TSaslServerTransport.java:216) ~[hive-exec-3.1.0-bc3.3.0.jar:3.1.0-bc3.3.0]
        at org.apache.hadoop.hive.metastore.security.HadoopThriftAuthBridge$Server$TUGIAssumingTransportFactory$1.run(HadoopThriftAuthBridge.java:694) ~[hive-exec-3.1.0-bc3.3.0.jar:3.1.0-bc3.3.0]
        at org.apache.hadoop.hive.metastore.security.HadoopThriftAuthBridge$Server$TUGIAssumingTransportFactory$1.run(HadoopThriftAuthBridge.java:691) ~[hive-exec-3.1.0-bc3.3.0.jar:3.1.0-bc3.3.0]
        at java.security.AccessController.doPrivileged(Native Method) ~[?:1.8.0_112]
        at javax.security.auth.Subject.doAs(Subject.java:360) ~[?:1.8.0_112]
        at org.apache.hadoop.security.UserGroupInformation.doAs(UserGroupInformation.java:1665) ~[hadoop-common-3.1.0-bc3.3.0.jar:?]
        at org.apache.hadoop.hive.metastore.security.HadoopThriftAuthBridge$Server$TUGIAssumingTransportFactory.getTransport(HadoopThriftAuthBridge.java:691) ~[hive-exec-3.1.0-bc3.3.0.jar:3.1.0-bc3.3.0]
        at org.apache.thrift.server.TThreadPoolServer$WorkerProcess.run(TThreadPoolServer.java:269) ~[hive-exec-3.1.0-bc3.3.0.jar:3.1.0-bc3.3.0]
        at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) ~[?:1.8.0_112]
        at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) ~[?:1.8.0_112]
        at java.lang.Thread.run(Thread.java:745) [?:1.8.0_112]
Caused by: org.ietf.jgss.GSSException: Failure unspecified at GSS-API level (Mechanism level: Checksum failed)
        at sun.security.jgss.krb5.Krb5Context.acceptSecContext(Krb5Context.java:856) ~[?:1.8.0_112]
        at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:342) ~[?:1.8.0_112]
        at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:285) ~[?:1.8.0_112]
        at com.sun.security.sasl.gsskerb.GssKrb5Server.evaluateResponse(GssKrb5Server.java:167) ~[?:1.8.0_112]
        ... 14 more
Caused by: sun.security.krb5.KrbCryptoException: Checksum failed
        at sun.security.krb5.internal.crypto.Des3CbcHmacSha1KdEType.decrypt(Des3CbcHmacSha1KdEType.java:96) ~[?:1.8.0_112]
        at sun.security.krb5.internal.crypto.Des3CbcHmacSha1KdEType.decrypt(Des3CbcHmacSha1KdEType.java:88) ~[?:1.8.0_112]
        at sun.security.krb5.EncryptedData.decrypt(EncryptedData.java:175) ~[?:1.8.0_112]
        at sun.security.krb5.KrbApReq.authenticate(KrbApReq.java:281) ~[?:1.8.0_112]
        at sun.security.krb5.KrbApReq.<init>(KrbApReq.java:149) ~[?:1.8.0_112]
        at sun.security.jgss.krb5.InitSecContextToken.<init>(InitSecContextToken.java:108) ~[?:1.8.0_112]
        at sun.security.jgss.krb5.Krb5Context.acceptSecContext(Krb5Context.java:829) ~[?:1.8.0_112]
        at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:342) ~[?:1.8.0_112]
        at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:285) ~[?:1.8.0_112]
        at com.sun.security.sasl.gsskerb.GssKrb5Server.evaluateResponse(GssKrb5Server.java:167) ~[?:1.8.0_112]
        ... 14 more
Caused by: java.security.GeneralSecurityException: Checksum failed
        at sun.security.krb5.internal.crypto.dk.DkCrypto.decrypt(DkCrypto.java:362) ~[?:1.8.0_112]
        at sun.security.krb5.internal.crypto.Des3.decrypt(Des3.java:79) ~[?:1.8.0_112]
        at sun.security.krb5.internal.crypto.Des3CbcHmacSha1KdEType.decrypt(Des3CbcHmacSha1KdEType.java:94) ~[?:1.8.0_112]
        at sun.security.krb5.internal.crypto.Des3CbcHmacSha1KdEType.decrypt(Des3CbcHmacSha1KdEType.java:88) ~[?:1.8.0_112]
        at sun.security.krb5.EncryptedData.decrypt(EncryptedData.java:175) ~[?:1.8.0_112]
        at sun.security.krb5.KrbApReq.authenticate(KrbApReq.java:281) ~[?:1.8.0_112]
        at sun.security.krb5.KrbApReq.<init>(KrbApReq.java:149) ~[?:1.8.0_112]
        at sun.security.jgss.krb5.InitSecContextToken.<init>(InitSecContextToken.java:108) ~[?:1.8.0_112]
        at sun.security.jgss.krb5.Krb5Context.acceptSecContext(Krb5Context.java:829) ~[?:1.8.0_112]
        at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:342) ~[?:1.8.0_112]
        at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:285) ~[?:1.8.0_112]
        at com.sun.security.sasl.gsskerb.GssKrb5Server.evaluateResponse(GssKrb5Server.java:167) ~[?:1.8.0_112]
        ... 14 more
2021-09-17T08:18:07,332 ERROR [HiveServer2-Handler-Pool: Thread-87]: server.TThreadPoolServer (:()) - Error occurred during processing of message.
java.lang.RuntimeException: org.apache.thrift.transport.TTransportException: GSS initiate failed
        at org.apache.thrift.transport.TSaslServerTransport$Factory.getTransport(TSaslServerTransport.java:219) ~[hive-exec-3.1.0-bc3.3.0.jar:3.1.0-bc3.3.0]
        at org.apache.hadoop.hive.metastore.security.HadoopThriftAuthBridge$Server$TUGIAssumingTransportFactory$1.run(HadoopThriftAuthBridge.java:694) ~[hive-exec-3.1.0-bc3.3.0.jar:3.1.0-bc3.3.0]
        at org.apache.hadoop.hive.metastore.security.HadoopThriftAuthBridge$Server$TUGIAssumingTransportFactory$1.run(HadoopThriftAuthBridge.java:691) ~[hive-exec-3.1.0-bc3.3.0.jar:3.1.0-bc3.3.0]
        at java.security.AccessController.doPrivileged(Native Method) ~[?:1.8.0_112]
        at javax.security.auth.Subject.doAs(Subject.java:360) ~[?:1.8.0_112]
        at org.apache.hadoop.security.UserGroupInformation.doAs(UserGroupInformation.java:1665) ~[hadoop-common-3.1.0-bc3.3.0.jar:?]
        at org.apache.hadoop.hive.metastore.security.HadoopThriftAuthBridge$Server$TUGIAssumingTransportFactory.getTransport(HadoopThriftAuthBridge.java:691) ~[hive-exec-3.1.0-bc3.3.0.jar:3.1.0-bc3.3.0]
        at org.apache.thrift.server.TThreadPoolServer$WorkerProcess.run(TThreadPoolServer.java:269) ~[hive-exec-3.1.0-bc3.3.0.jar:3.1.0-bc3.3.0]
        at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) ~[?:1.8.0_112]
        at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) ~[?:1.8.0_112]
        at java.lang.Thread.run(Thread.java:745) [?:1.8.0_112]
Caused by: org.apache.thrift.transport.TTransportException: GSS initiate failed
        at org.apache.thrift.transport.TSaslTransport.sendAndThrowMessage(TSaslTransport.java:232) ~[hive-exec-3.1.0-bc3.3.0.jar:3.1.0-bc3.3.0]
        at org.apache.thrift.transport.TSaslTransport.open(TSaslTransport.java:316) ~[hive-exec-3.1.0-bc3.3.0.jar:3.1.0-bc3.3.0]
        at org.apache.thrift.transport.TSaslServerTransport.open(TSaslServerTransport.java:41) ~[hive-exec-3.1.0-bc3.3.0.jar:3.1.0-bc3.3.0]
        at org.apache.thrift.transport.TSaslServerTransport$Factory.getTransport(TSaslServerTransport.java:216) ~[hive-exec-3.1.0-bc3.3.0.jar:3.1.0-bc3.3.0]
        ... 10 more

ssh into the hue server and do manual kinit to see that the principal works with the kereros kdc.

$ kinit -kt /etc/security/keytabs/hue.service.keytab hue/k8s-dev-8-207@BCHKDC

if kinit fails you need to fix the issue first could be cipher related or principal not properly created in kdc.

Hi,thank you for your reply,however.However, I run the above command on the Hue host and the output is normal. Is there any other direction for me to check?

hi, all, I fixed the above problem.
I modify hive configuration “hive.server2.authentication.kerberos.principal=hive/{hiveserver2Hostname}@${realm}”, then I ensure /etc/security/keytabs/hive.service.keytab can use for hive/k8s-dev-8-207@BCHKDC and copy this keytab to hue nodes.
Then Hue is ok.