hive-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "kulkarni.swarnim@gmail.com" <kulkarni.swar...@gmail.com>
Subject Re: HiveServer2 & Kerberos
Date Wed, 26 Aug 2015 16:01:29 GMT
Nope. Because the credentials are different. You might have multiple users
using there own credentials to authenticate themselves but there are only
single defined credentials to be used by the metastore server.

On Wed, Aug 26, 2015 at 10:58 AM, Loïc Chanel <loic.chanel@telecomnancy.net>
wrote:

> I understand the behavior, but when Kerberos is enabled, isn't that a bit
> redundant ?
>
> Loïc CHANEL
> Engineering student at TELECOM Nancy
> Trainee at Worldline - Villeurbanne
>
> 2015-08-26 17:53 GMT+02:00 kulkarni.swarnim@gmail.com <
> kulkarni.swarnim@gmail.com>:
>
>> > my understanding is that after using kerberos authentication, you
>> probably don’t need the password.
>>
>> That is not an accurate statement. Beeline is a JDBC client as compared
>> to Hive CLI which is a thrift client to talk to HIveServer2. So it would
>> need the password to establish that JDBC connection. If you look at the
>> beeline console code[1], it actually first tries to read the
>> "javax.jdo.option.ConnectionUserName" and
>> "javax.jdo.option.ConnectionPassword" property which is the same username
>> and password that you have setup your backing metastore DB with. If it is
>> MySWL, it would be the password you set MySQL with or empty if you
>> haven't(or are using derby). Kerberos is merely a tool for you to
>> authenticate yourself so that you cannot impersonate yourself as someone
>> else.
>>
>> [1]
>> https://github.com/apache/hive/blob/3991dba30c5068cac296f32e24e97cf87efa266c/beeline/src/java/org/apache/hive/beeline/Commands.java#L1117-L1125
>>
>> On Wed, Aug 26, 2015 at 10:13 AM, Loïc Chanel <
>> loic.chanel@telecomnancy.net> wrote:
>>
>>> Here it is : https://issues.apache.org/jira/browse/HIVE-11653
>>>
>>> Loïc CHANEL
>>> Engineering student at TELECOM Nancy
>>> Trainee at Worldline - Villeurbanne
>>>
>>> 2015-08-25 23:10 GMT+02:00 Sergey Shelukhin <sergey@hortonworks.com>:
>>>
>>>> Sure!
>>>>
>>>> From: Loïc Chanel <loic.chanel@telecomnancy.net>
>>>> Reply-To: "user@hive.apache.org" <user@hive.apache.org>
>>>> Date: Tuesday, August 25, 2015 at 00:23
>>>>
>>>> To: "user@hive.apache.org" <user@hive.apache.org>
>>>> Subject: Re: HiveServer2 & Kerberos
>>>>
>>>> It is the case.
>>>> Would you like me to fill a JIRA about it ?
>>>>
>>>> Loïc CHANEL
>>>> Engineering student at TELECOM Nancy
>>>> Trainee at Worldline - Villeurbanne
>>>>
>>>> 2015-08-24 19:24 GMT+02:00 Sergey Shelukhin <sergey@hortonworks.com>:
>>>>
>>>>> If that is the case it sounds like a bug…
>>>>>
>>>>> From: Jary Du <jary.du@gmail.com>
>>>>> Reply-To: "user@hive.apache.org" <user@hive.apache.org>
>>>>> Date: Thursday, August 20, 2015 at 08:56
>>>>> To: "user@hive.apache.org" <user@hive.apache.org>
>>>>> Subject: Re: HiveServer2 & Kerberos
>>>>>
>>>>> My understanding is that it will always ask you user/password even
>>>>> though you don’t need them. It is just the way how hive is setup.
>>>>>
>>>>> On Aug 20, 2015, at 8:28 AM, Loïc Chanel <loic.chanel@telecomnancy.net>
>>>>> wrote:
>>>>>
>>>>> !connect jdbc:hive2://
>>>>> 192.168.6.210:10000/db;principal=hive/hiveHost@WESTEROS.WL
>>>>> org.apache.hive.jdbc.HiveDriver
>>>>> scan complete in 13ms
>>>>> Connecting to jdbc:hive2://
>>>>> 192.168.6.210:10000/db;principal=hive/hiveHost@WESTEROS.WL
>>>>> Enter password for jdbc:hive2://
>>>>> 192.168.6.210:10000/chaneldb;principal=hive/hiveHost@WESTEROS.WL:
>>>>>
>>>>> And if I press enter everything works perfectly, because I am using
>>>>> Kerberos authentication, that's actually why I was asking what is Hive
>>>>> asking for, because in my case, it seems that I shouldn't be asked for
a
>>>>> password when connecting.
>>>>>
>>>>> Loïc CHANEL
>>>>> Engineering student at TELECOM Nancy
>>>>> Trainee at Worldline - Villeurbanne
>>>>>
>>>>> 2015-08-20 17:06 GMT+02:00 Jary Du <jary.du@gmail.com>:
>>>>>
>>>>>> How does Beeline ask you? What happens if you just press enter?
>>>>>>
>>>>>>
>>>>>>
>>>>>> On Aug 20, 2015, at 12:15 AM, Loïc Chanel <
>>>>>> loic.chanel@telecomnancy.net> wrote:
>>>>>>
>>>>>> Indeed, I don't need the password, but why is Beeline asking me for
>>>>>> one ? To what does it correspond ?
>>>>>>
>>>>>> Thanks again,
>>>>>>
>>>>>>
>>>>>> Loïc
>>>>>>
>>>>>> Loïc CHANEL
>>>>>> Engineering student at TELECOM Nancy
>>>>>> Trainee at Worldline - Villeurbanne
>>>>>>
>>>>>> 2015-08-19 18:22 GMT+02:00 Jary Du <jary.du@gmail.com>:
>>>>>>
>>>>>>> Correct me if I am wrong, my understanding is that after using
>>>>>>> kerberos authentication, you probably don’t need the password.
>>>>>>>
>>>>>>> Hope it helps
>>>>>>>
>>>>>>> Thanks,
>>>>>>> Jary
>>>>>>>
>>>>>>>
>>>>>>> On Aug 19, 2015, at 9:09 AM, Loïc Chanel <
>>>>>>> loic.chanel@telecomnancy.net> wrote:
>>>>>>>
>>>>>>> By the way, thanks a lot for your help, because your solution
works,
>>>>>>> but I'm still interested in knowing what is the password I did
not enter.
>>>>>>>
>>>>>>> Thanks again,
>>>>>>>
>>>>>>>
>>>>>>> Loïc
>>>>>>>
>>>>>>> Loïc CHANEL
>>>>>>> Engineering student at TELECOM Nancy
>>>>>>> Trainee at Worldline - Villeurbanne
>>>>>>>
>>>>>>> 2015-08-19 18:07 GMT+02:00 Loïc Chanel <loic.chanel@telecomnancy.net
>>>>>>> >:
>>>>>>>
>>>>>>>> All right, but then, what is the password hive asks for ?
Hive's
>>>>>>>> one ? How do I know its value ?
>>>>>>>>
>>>>>>>> Loïc CHANEL
>>>>>>>> Engineering student at TELECOM Nancy
>>>>>>>> Trainee at Worldline - Villeurbanne
>>>>>>>>
>>>>>>>> 2015-08-19 17:51 GMT+02:00 Jary Du <jary.du@gmail.com>:
>>>>>>>>
>>>>>>>>> For Beeline connection string, it should be "!connect
>>>>>>>>> jdbc:hive2://<host>:<port>/<db>;principal=<Server_Principal_of_HiveServer2>”.
Please
>>>>>>>>> make sure it is the hive’s principal, not the user’s.
And when you kinit,
>>>>>>>>> it should be kinit user’s keytab, not the hive’s
keytab.
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> On Aug 19, 2015, at 8:46 AM, Loïc Chanel <
>>>>>>>>> loic.chanel@telecomnancy.net> wrote:
>>>>>>>>>
>>>>>>>>> Yeah, I forgot to mention it, but each time I did a kinit
>>>>>>>>> user/hive before launching beeline, as I read somewhere
that Beeline does
>>>>>>>>> not handle Kerberos connection.
>>>>>>>>>
>>>>>>>>> So, as I can make klist before launching beeline and
having a good
>>>>>>>>> result, the problem does not come from this. Thanks a
lot for your response
>>>>>>>>> though.
>>>>>>>>> Do you have another idea ?
>>>>>>>>>
>>>>>>>>> Loïc CHANEL
>>>>>>>>> Engineering student at TELECOM Nancy
>>>>>>>>> Trainee at Worldline - Villeurbanne
>>>>>>>>>
>>>>>>>>> 2015-08-19 17:42 GMT+02:00 Jary Du <jary.du@gmail.com>:
>>>>>>>>>
>>>>>>>>>> "The Beeline client must have a valid Kerberos ticket
in the
>>>>>>>>>> ticket cache before attempting to connect." (
>>>>>>>>>> http://docs.hortonworks.com/HDPDocuments/HDP2/HDP-2.1.3/bk_dataintegration/content/ch_using-hive-clients-examples.html
>>>>>>>>>> )
>>>>>>>>>>
>>>>>>>>>> So you need kinit first to have the valid Kerberos
ticket int the
>>>>>>>>>> ticket cache before using beeline to connect to HS2.
>>>>>>>>>>
>>>>>>>>>> Jary
>>>>>>>>>>
>>>>>>>>>> On Aug 19, 2015, at 8:36 AM, Loïc Chanel <
>>>>>>>>>> loic.chanel@telecomnancy.net> wrote:
>>>>>>>>>>
>>>>>>>>>> Hi again,
>>>>>>>>>>
>>>>>>>>>> As I searched another way to make some requests with
Kerberos
>>>>>>>>>> enabled for security on HiveServer, I found that
this request should do the
>>>>>>>>>> same :
>>>>>>>>>> !connect jdbc:hive2://
>>>>>>>>>> 192.168.6.210:10000/default;principal=user/hive@WESTEROS.WL
>>>>>>>>>> org.apache.hive.jdbc.HiveDriver
>>>>>>>>>> But now I've got another error :
>>>>>>>>>> Error: Could not open client transport with JDBC
Uri:
>>>>>>>>>> jdbc:hive2://
>>>>>>>>>> 192.168.6.210:10000/default;principal=user/hive@WESTEROS.WL:
>>>>>>>>>> Peer indicated failure: GSS initiate failed (state=08S01,code=0)
>>>>>>>>>>
>>>>>>>>>> As I saw that it was maybe a simple Kerberos ticket
related
>>>>>>>>>> problem, I tried to re-generate Kerberos keytabs,
and to ensure that Hive
>>>>>>>>>> has the path to access to its keytab, but nothing
changed.
>>>>>>>>>>
>>>>>>>>>> Does anyone has an idea about how to solve this issue
?
>>>>>>>>>>
>>>>>>>>>> Thanks in advance for your help :)
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> Loïc
>>>>>>>>>>
>>>>>>>>>> Loïc CHANEL
>>>>>>>>>> Engineering student at TELECOM Nancy
>>>>>>>>>> Trainee at Worldline - Villeurbanne
>>>>>>>>>>
>>>>>>>>>> 2015-08-19 12:01 GMT+02:00 Loïc Chanel <
>>>>>>>>>> loic.chanel@telecomnancy.net>:
>>>>>>>>>>
>>>>>>>>>>> Hi all,
>>>>>>>>>>>
>>>>>>>>>>> I have a little issue with HiveServer2 since
I have enabled
>>>>>>>>>>> Kerberos. I'm unable to connect to the service
via Beeline. When doing
>>>>>>>>>>> !connect jdbc:hive2://192.168.6.210:10000 hive
hive
>>>>>>>>>>> org.apache.hive.jdbc.HiveDriver
>>>>>>>>>>> I keep receiving the same error :
>>>>>>>>>>> Error: Could not open client transport with JDBC
Uri:
>>>>>>>>>>> jdbc:hive2://192.168.6.210:10000: Peer indicated
failure:
>>>>>>>>>>> Unsupported mechanism type PLAIN (state=08S01,code=0)
>>>>>>>>>>>
>>>>>>>>>>> Does anyone had the same problem ? Or know how
to solve it ?
>>>>>>>>>>> Thanks in advance,
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> Loïc
>>>>>>>>>>>
>>>>>>>>>>> Loïc CHANEL
>>>>>>>>>>> Engineering student at TELECOM Nancy
>>>>>>>>>>> Trainee at Worldline - Villeurbanne
>>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>
>>>>>>
>>>>>
>>>>>
>>>>
>>>
>>
>>
>> --
>> Swarnim
>>
>
>


-- 
Swarnim

Mime
View raw message