hive-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Lefty Leverenz <leftylever...@gmail.com>
Subject Re: Configuring Apache Hive using Kerberos Authentication
Date Fri, 14 Feb 2014 09:48:45 GMT
If the Hive wikidocs need improvement, please let me know what to change
(or do it yourself if you have edit access).  Thanks.

-- Lefty


On Thu, Feb 13, 2014 at 9:52 AM, Prasad Mujumdar <prasadm@cloudera.com>wrote:

>
>   On the client side, you need to run kinit manually. Beeline doesn't
> support getting TGT programatically. You should ideally have a different
> userid for the client side.  Also the hive command line tool (invoked
> directly as 'hive') is an embedded client that doesn't communicate with
> HiveServer2. You should always use beeline shell as client for HiveServer2.
> For example, the steps could be -
> 1) Add service principal and keytab in hive-site.xml, set authentication
> to KERBEROS.
> 2) Start HiveServer2
> 3) On client side, kinit user1
> 4) run beeline
> 5) !connect jdbc:hive2://pg-server.foobar.com:10000/default;principal=
> hive/pg-server.foobar.com@FOOBAR.COM
>
> thanks
> Prasad
>
>
>
> On Wed, Feb 12, 2014 at 8:18 AM, Anilkumar Kalshetti <
> anilkalshetti@gmail.com> wrote:
>
>> Hello Sir,
>>
>> Thanks for the reply,
>>
>> I want to configure Hive using kerberos authentication, and connect hive
>> with third party db tool,using hive service principal name.
>>
>> I am getting problem, while starting Hiveserver2, [Principal name and
>> Keytab file path is properly set in hive-default.xml file]
>> It shows message as
>>
>> ERROR transport.TSaslTransport: SASL negotiation failure
>>
>> javax.security.sasl.SaslException: GSS initiate failed [Caused by
>> GSSException: No valid credentials provided (Mechanism level: Failed to
>> find any Kerberos tgt)]
>>
>> at
>> com.sun.security.sasl.gsskerb.GssKrb5Client.evaluateChallenge(GssKrb5Client.java:212)
>>
>> at
>> org.apache.thrift.transport.TSaslClientTransport.handleSaslStartMessage(TSaslClientTransport.java:94)
>>
>>
>> I guess, first I need to generate the TGT ticket, then I should start the
>> hiveserver2
>>
>> As TGT ticket is not generated, this error message is shown.
>>
>> before starting the server, TGT tickets should be generated.
>>
>> a]
>>
>> In PostgreSQL database
>>
>> >./psql -h pg-server.foobar.com template1 frank
>>
>> running above command, generates TGT ticket for postgres service
>> principal.
>>
>> b]
>>
>> In Hive, after executing the command
>>
>> >./hive -h pg-server.foobar.com default frank
>>
>> this command starts hiveserver in No Authentication mode, but doesn't
>> generate any TGT ticket
>>
>>
>> Finding the proper command that generates the TGT ticket for Hive service
>> principal will be the solution.
>>
>> This type of command is not mentioned anywhere in cloudera documents.
>>
>>
>> Hive service principal : hive/pg-server.foobar.com@FOOBAR.COM
>>
>> *As per your suggestion*, I run the below kinit command, but it doesn't
>> generated any TGT Ticket
>>
>> [postgres@pg-server bin]$ *kinit -kt
>> '/home/postgres/keytabs/hive.keytab'  hive/pg-server.foobar.com@FOOBAR.COM
>> <pg-server.foobar.com@FOOBAR.COM>*
>>
>> [postgres@pg-server bin]$ *klist*
>> Ticket cache: FILE:/tmp/krb5cc_501
>> Default principal: hive/pg-server.foobar.com@FOOBAR.COM
>>
>> Valid starting     Expires            Service principal
>> 02/12/14 21:29:51  02/13/14 21:29:51  krbtgt/FOOBAR.COM@FOOBAR.COM
>>  renew until 02/12/14 21:29:51
>>
>> *I am expecting, hive service principal will be listed running klist, but
>> its not there.*
>>
>>
>> Hive service principal : hive/pg-server.foobar.com@FOOBAR.COM
>>
>>
>>
>> PFA for the hive-default.xml file and TerminalExceptionLog details.
>>
>>
>>
>> *If anything is wrong in above steps followed by me, will you please
>> share the detailed steps document[containing all small steps from start to
>> end] for configuring hive server using kerberos authentication.*
>>
>> *That will be really very helpful.*
>>
>>
>> Thanks & Regards,
>>
>> Anil
>>
>>
>>
>>
>> On 11 February 2014 23:27, Prasad Mujumdar <prasadm@cloudera.com> wrote:
>>
>>>
>>>     If you are talking about embedded Hive client (CLI), then all you
>>> need is to have a TGT in the ticket cache (ie run kinit before invoking
>>> Hive). The underlying hadoop client handles communication with secure
>>> Hadoop services. As long as the Hadoop related security configuration is
>>> place, there's no other Hive specific setup required.
>>>
>>> If you are setting up secure HiveServer2, please refer to server
>>> <https://cwiki.apache.org/confluence/display/Hive/Setting+up+HiveServer2>and
>>> client
>>> <https://cwiki.apache.org/confluence/display/Hive/HiveServer2+Clients#HiveServer2Clients-JDBCClientSetupforaSecureCluster>configuration
>>> details are on Hive wiki.
>>>
>>> thanks
>>> Prasad
>>>
>>>
>>>
>>> On Tue, Feb 11, 2014 at 2:31 AM, Anilkumar Kalshetti <
>>> anilkalshetti@gmail.com> wrote:
>>>
>>>> Hello,
>>>>
>>>> Has anyone implemented Kerberos authentication for Apache Hive?
>>>>
>>>> Kerberos authentication for Hadoop is documented very well, and I am
>>>> able to do it.
>>>> Connecting databases like MongoDb, PostgreSQL using kerberos auth. is
>>>> quite straight-forward,
>>>> But there are missing links in documentation, which makes things
>>>> difficult for configuring apache hive using Kerberos authentication.
>>>>
>>>> Please reply, If someone has done this.
>>>>
>>>> Thanks
>>>>
>>>
>>>
>>
>

Mime
View raw message