hive-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Prasad Mujumdar <pras...@cloudera.com>
Subject Re: Configuring Apache Hive using Kerberos Authentication
Date Thu, 13 Feb 2014 17:52:25 GMT
  On the client side, you need to run kinit manually. Beeline doesn't
support getting TGT programatically. You should ideally have a different
userid for the client side.  Also the hive command line tool (invoked
directly as 'hive') is an embedded client that doesn't communicate with
HiveServer2. You should always use beeline shell as client for HiveServer2.
For example, the steps could be -
1) Add service principal and keytab in hive-site.xml, set authentication to
KERBEROS.
2) Start HiveServer2
3) On client side, kinit user1
4) run beeline
5) !connect jdbc:hive2://pg-server.foobar.com:10000/default;principal=hive/
pg-server.foobar.com@FOOBAR.COM

thanks
Prasad



On Wed, Feb 12, 2014 at 8:18 AM, Anilkumar Kalshetti <
anilkalshetti@gmail.com> wrote:

> Hello Sir,
>
> Thanks for the reply,
>
> I want to configure Hive using kerberos authentication, and connect hive
> with third party db tool,using hive service principal name.
>
> I am getting problem, while starting Hiveserver2, [Principal name and
> Keytab file path is properly set in hive-default.xml file]
> It shows message as
>
> ERROR transport.TSaslTransport: SASL negotiation failure
>
> javax.security.sasl.SaslException: GSS initiate failed [Caused by
> GSSException: No valid credentials provided (Mechanism level: Failed to
> find any Kerberos tgt)]
>
> at
> com.sun.security.sasl.gsskerb.GssKrb5Client.evaluateChallenge(GssKrb5Client.java:212)
>
> at
> org.apache.thrift.transport.TSaslClientTransport.handleSaslStartMessage(TSaslClientTransport.java:94)
>
>
> I guess, first I need to generate the TGT ticket, then I should start the
> hiveserver2
>
> As TGT ticket is not generated, this error message is shown.
>
> before starting the server, TGT tickets should be generated.
>
> a]
>
> In PostgreSQL database
>
> >./psql -h pg-server.foobar.com template1 frank
>
> running above command, generates TGT ticket for postgres service principal.
>
> b]
>
> In Hive, after executing the command
>
> >./hive -h pg-server.foobar.com default frank
>
> this command starts hiveserver in No Authentication mode, but doesn't
> generate any TGT ticket
>
>
> Finding the proper command that generates the TGT ticket for Hive service
> principal will be the solution.
>
> This type of command is not mentioned anywhere in cloudera documents.
>
>
> Hive service principal : hive/pg-server.foobar.com@FOOBAR.COM
>
> *As per your suggestion*, I run the below kinit command, but it doesn't
> generated any TGT Ticket
>
> [postgres@pg-server bin]$ *kinit -kt '/home/postgres/keytabs/hive.keytab'
>  hive/pg-server.foobar.com@FOOBAR.COM <pg-server.foobar.com@FOOBAR.COM>*
>
> [postgres@pg-server bin]$ *klist*
> Ticket cache: FILE:/tmp/krb5cc_501
> Default principal: hive/pg-server.foobar.com@FOOBAR.COM
>
> Valid starting     Expires            Service principal
> 02/12/14 21:29:51  02/13/14 21:29:51  krbtgt/FOOBAR.COM@FOOBAR.COM
>  renew until 02/12/14 21:29:51
>
> *I am expecting, hive service principal will be listed running klist, but
> its not there.*
>
>
> Hive service principal : hive/pg-server.foobar.com@FOOBAR.COM
>
>
>
> PFA for the hive-default.xml file and TerminalExceptionLog details.
>
>
>
> *If anything is wrong in above steps followed by me, will you please share
> the detailed steps document[containing all small steps from start to end]
> for configuring hive server using kerberos authentication.*
>
> *That will be really very helpful.*
>
>
> Thanks & Regards,
>
> Anil
>
>
>
>
> On 11 February 2014 23:27, Prasad Mujumdar <prasadm@cloudera.com> wrote:
>
>>
>>     If you are talking about embedded Hive client (CLI), then all you
>> need is to have a TGT in the ticket cache (ie run kinit before invoking
>> Hive). The underlying hadoop client handles communication with secure
>> Hadoop services. As long as the Hadoop related security configuration is
>> place, there's no other Hive specific setup required.
>>
>> If you are setting up secure HiveServer2, please refer to server
>> <https://cwiki.apache.org/confluence/display/Hive/Setting+up+HiveServer2>and
>> client
>> <https://cwiki.apache.org/confluence/display/Hive/HiveServer2+Clients#HiveServer2Clients-JDBCClientSetupforaSecureCluster>configuration
>> details are on Hive wiki.
>>
>> thanks
>> Prasad
>>
>>
>>
>> On Tue, Feb 11, 2014 at 2:31 AM, Anilkumar Kalshetti <
>> anilkalshetti@gmail.com> wrote:
>>
>>> Hello,
>>>
>>> Has anyone implemented Kerberos authentication for Apache Hive?
>>>
>>> Kerberos authentication for Hadoop is documented very well, and I am
>>> able to do it.
>>> Connecting databases like MongoDb, PostgreSQL using kerberos auth. is
>>> quite straight-forward,
>>> But there are missing links in documentation, which makes things
>>> difficult for configuring apache hive using Kerberos authentication.
>>>
>>> Please reply, If someone has done this.
>>>
>>> Thanks
>>>
>>
>>
>

Mime
View raw message