hive-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Loïc Chanel <loic.cha...@telecomnancy.net>
Subject Re: HiveServer2 & Kerberos
Date Wed, 26 Aug 2015 15:58:24 GMT
I understand the behavior, but when Kerberos is enabled, isn't that a bit
redundant ?

Loïc CHANEL
Engineering student at TELECOM Nancy
Trainee at Worldline - Villeurbanne

2015-08-26 17:53 GMT+02:00 kulkarni.swarnim@gmail.com <
kulkarni.swarnim@gmail.com>:

> > my understanding is that after using kerberos authentication, you
> probably don’t need the password.
>
> That is not an accurate statement. Beeline is a JDBC client as compared to
> Hive CLI which is a thrift client to talk to HIveServer2. So it would need
> the password to establish that JDBC connection. If you look at the beeline
> console code[1], it actually first tries to read the
> "javax.jdo.option.ConnectionUserName" and
> "javax.jdo.option.ConnectionPassword" property which is the same username
> and password that you have setup your backing metastore DB with. If it is
> MySWL, it would be the password you set MySQL with or empty if you
> haven't(or are using derby). Kerberos is merely a tool for you to
> authenticate yourself so that you cannot impersonate yourself as someone
> else.
>
> [1]
> https://github.com/apache/hive/blob/3991dba30c5068cac296f32e24e97cf87efa266c/beeline/src/java/org/apache/hive/beeline/Commands.java#L1117-L1125
>
> On Wed, Aug 26, 2015 at 10:13 AM, Loïc Chanel <
> loic.chanel@telecomnancy.net> wrote:
>
>> Here it is : https://issues.apache.org/jira/browse/HIVE-11653
>>
>> Loïc CHANEL
>> Engineering student at TELECOM Nancy
>> Trainee at Worldline - Villeurbanne
>>
>> 2015-08-25 23:10 GMT+02:00 Sergey Shelukhin <sergey@hortonworks.com>:
>>
>>> Sure!
>>>
>>> From: Loïc Chanel <loic.chanel@telecomnancy.net>
>>> Reply-To: "user@hive.apache.org" <user@hive.apache.org>
>>> Date: Tuesday, August 25, 2015 at 00:23
>>>
>>> To: "user@hive.apache.org" <user@hive.apache.org>
>>> Subject: Re: HiveServer2 & Kerberos
>>>
>>> It is the case.
>>> Would you like me to fill a JIRA about it ?
>>>
>>> Loïc CHANEL
>>> Engineering student at TELECOM Nancy
>>> Trainee at Worldline - Villeurbanne
>>>
>>> 2015-08-24 19:24 GMT+02:00 Sergey Shelukhin <sergey@hortonworks.com>:
>>>
>>>> If that is the case it sounds like a bug…
>>>>
>>>> From: Jary Du <jary.du@gmail.com>
>>>> Reply-To: "user@hive.apache.org" <user@hive.apache.org>
>>>> Date: Thursday, August 20, 2015 at 08:56
>>>> To: "user@hive.apache.org" <user@hive.apache.org>
>>>> Subject: Re: HiveServer2 & Kerberos
>>>>
>>>> My understanding is that it will always ask you user/password even
>>>> though you don’t need them. It is just the way how hive is setup.
>>>>
>>>> On Aug 20, 2015, at 8:28 AM, Loïc Chanel <loic.chanel@telecomnancy.net>
>>>> wrote:
>>>>
>>>> !connect jdbc:hive2://
>>>> 192.168.6.210:10000/db;principal=hive/hiveHost@WESTEROS.WL
>>>> org.apache.hive.jdbc.HiveDriver
>>>> scan complete in 13ms
>>>> Connecting to jdbc:hive2://
>>>> 192.168.6.210:10000/db;principal=hive/hiveHost@WESTEROS.WL
>>>> Enter password for jdbc:hive2://
>>>> 192.168.6.210:10000/chaneldb;principal=hive/hiveHost@WESTEROS.WL:
>>>>
>>>> And if I press enter everything works perfectly, because I am using
>>>> Kerberos authentication, that's actually why I was asking what is Hive
>>>> asking for, because in my case, it seems that I shouldn't be asked for a
>>>> password when connecting.
>>>>
>>>> Loïc CHANEL
>>>> Engineering student at TELECOM Nancy
>>>> Trainee at Worldline - Villeurbanne
>>>>
>>>> 2015-08-20 17:06 GMT+02:00 Jary Du <jary.du@gmail.com>:
>>>>
>>>>> How does Beeline ask you? What happens if you just press enter?
>>>>>
>>>>>
>>>>>
>>>>> On Aug 20, 2015, at 12:15 AM, Loïc Chanel <
>>>>> loic.chanel@telecomnancy.net> wrote:
>>>>>
>>>>> Indeed, I don't need the password, but why is Beeline asking me for
>>>>> one ? To what does it correspond ?
>>>>>
>>>>> Thanks again,
>>>>>
>>>>>
>>>>> Loïc
>>>>>
>>>>> Loïc CHANEL
>>>>> Engineering student at TELECOM Nancy
>>>>> Trainee at Worldline - Villeurbanne
>>>>>
>>>>> 2015-08-19 18:22 GMT+02:00 Jary Du <jary.du@gmail.com>:
>>>>>
>>>>>> Correct me if I am wrong, my understanding is that after using
>>>>>> kerberos authentication, you probably don’t need the password.
>>>>>>
>>>>>> Hope it helps
>>>>>>
>>>>>> Thanks,
>>>>>> Jary
>>>>>>
>>>>>>
>>>>>> On Aug 19, 2015, at 9:09 AM, Loïc Chanel <
>>>>>> loic.chanel@telecomnancy.net> wrote:
>>>>>>
>>>>>> By the way, thanks a lot for your help, because your solution works,
>>>>>> but I'm still interested in knowing what is the password I did not
enter.
>>>>>>
>>>>>> Thanks again,
>>>>>>
>>>>>>
>>>>>> Loïc
>>>>>>
>>>>>> Loïc CHANEL
>>>>>> Engineering student at TELECOM Nancy
>>>>>> Trainee at Worldline - Villeurbanne
>>>>>>
>>>>>> 2015-08-19 18:07 GMT+02:00 Loïc Chanel <loic.chanel@telecomnancy.net>
>>>>>> :
>>>>>>
>>>>>>> All right, but then, what is the password hive asks for ? Hive's
one
>>>>>>> ? How do I know its value ?
>>>>>>>
>>>>>>> Loïc CHANEL
>>>>>>> Engineering student at TELECOM Nancy
>>>>>>> Trainee at Worldline - Villeurbanne
>>>>>>>
>>>>>>> 2015-08-19 17:51 GMT+02:00 Jary Du <jary.du@gmail.com>:
>>>>>>>
>>>>>>>> For Beeline connection string, it should be "!connect
>>>>>>>> jdbc:hive2://<host>:<port>/<db>;principal=<Server_Principal_of_HiveServer2>”.
Please
>>>>>>>> make sure it is the hive’s principal, not the user’s.
And when you kinit,
>>>>>>>> it should be kinit user’s keytab, not the hive’s keytab.
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> On Aug 19, 2015, at 8:46 AM, Loïc Chanel <
>>>>>>>> loic.chanel@telecomnancy.net> wrote:
>>>>>>>>
>>>>>>>> Yeah, I forgot to mention it, but each time I did a kinit
user/hive
>>>>>>>> before launching beeline, as I read somewhere that Beeline
does not handle
>>>>>>>> Kerberos connection.
>>>>>>>>
>>>>>>>> So, as I can make klist before launching beeline and having
a good
>>>>>>>> result, the problem does not come from this. Thanks a lot
for your response
>>>>>>>> though.
>>>>>>>> Do you have another idea ?
>>>>>>>>
>>>>>>>> Loïc CHANEL
>>>>>>>> Engineering student at TELECOM Nancy
>>>>>>>> Trainee at Worldline - Villeurbanne
>>>>>>>>
>>>>>>>> 2015-08-19 17:42 GMT+02:00 Jary Du <jary.du@gmail.com>:
>>>>>>>>
>>>>>>>>> "The Beeline client must have a valid Kerberos ticket
in the
>>>>>>>>> ticket cache before attempting to connect." (
>>>>>>>>> http://docs.hortonworks.com/HDPDocuments/HDP2/HDP-2.1.3/bk_dataintegration/content/ch_using-hive-clients-examples.html
>>>>>>>>> )
>>>>>>>>>
>>>>>>>>> So you need kinit first to have the valid Kerberos ticket
int the
>>>>>>>>> ticket cache before using beeline to connect to HS2.
>>>>>>>>>
>>>>>>>>> Jary
>>>>>>>>>
>>>>>>>>> On Aug 19, 2015, at 8:36 AM, Loïc Chanel <
>>>>>>>>> loic.chanel@telecomnancy.net> wrote:
>>>>>>>>>
>>>>>>>>> Hi again,
>>>>>>>>>
>>>>>>>>> As I searched another way to make some requests with
Kerberos
>>>>>>>>> enabled for security on HiveServer, I found that this
request should do the
>>>>>>>>> same :
>>>>>>>>> !connect jdbc:hive2://
>>>>>>>>> 192.168.6.210:10000/default;principal=user/hive@WESTEROS.WL
>>>>>>>>> org.apache.hive.jdbc.HiveDriver
>>>>>>>>> But now I've got another error :
>>>>>>>>> Error: Could not open client transport with JDBC Uri:
jdbc:hive2://
>>>>>>>>> 192.168.6.210:10000/default;principal=user/hive@WESTEROS.WL:
Peer
>>>>>>>>> indicated failure: GSS initiate failed (state=08S01,code=0)
>>>>>>>>>
>>>>>>>>> As I saw that it was maybe a simple Kerberos ticket related
>>>>>>>>> problem, I tried to re-generate Kerberos keytabs, and
to ensure that Hive
>>>>>>>>> has the path to access to its keytab, but nothing changed.
>>>>>>>>>
>>>>>>>>> Does anyone has an idea about how to solve this issue
?
>>>>>>>>>
>>>>>>>>> Thanks in advance for your help :)
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> Loïc
>>>>>>>>>
>>>>>>>>> Loïc CHANEL
>>>>>>>>> Engineering student at TELECOM Nancy
>>>>>>>>> Trainee at Worldline - Villeurbanne
>>>>>>>>>
>>>>>>>>> 2015-08-19 12:01 GMT+02:00 Loïc Chanel <
>>>>>>>>> loic.chanel@telecomnancy.net>:
>>>>>>>>>
>>>>>>>>>> Hi all,
>>>>>>>>>>
>>>>>>>>>> I have a little issue with HiveServer2 since I have
enabled
>>>>>>>>>> Kerberos. I'm unable to connect to the service via
Beeline. When doing
>>>>>>>>>> !connect jdbc:hive2://192.168.6.210:10000 hive hive
>>>>>>>>>> org.apache.hive.jdbc.HiveDriver
>>>>>>>>>> I keep receiving the same error :
>>>>>>>>>> Error: Could not open client transport with JDBC
Uri:
>>>>>>>>>> jdbc:hive2://192.168.6.210:10000: Peer indicated
failure:
>>>>>>>>>> Unsupported mechanism type PLAIN (state=08S01,code=0)
>>>>>>>>>>
>>>>>>>>>> Does anyone had the same problem ? Or know how to
solve it ?
>>>>>>>>>> Thanks in advance,
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> Loïc
>>>>>>>>>>
>>>>>>>>>> Loïc CHANEL
>>>>>>>>>> Engineering student at TELECOM Nancy
>>>>>>>>>> Trainee at Worldline - Villeurbanne
>>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>
>>>>>>
>>>>>>
>>>>>
>>>>>
>>>>
>>>>
>>>
>>
>
>
> --
> Swarnim
>

Mime
View raw message