Reputation: 1
JDBC hive server 2 with kerberos, how is the principal parameter in the url used?
I have a valid keytab and noticed that it is picked up for authentication however I cannot find in any documentation what is the purpose of passing " principal=hive/[email protected]" in JDBC url
jdbc:hive2://hiveserver.test.com:10000/default;principal=hive/[email protected]
I enabled debug and noticed hive principal being used for creating thrift transport after SASL negotiation and also for interacting with hdfs . Which one of this is true?
Thanks
Upvotes: 0
Views: 8238
Answers (1)
Reputation: 2099
If you configure HiveServer2 to use Kerberos authentication, HiveServer2 acquires a Kerberos ticket during start-up. HiveServer2 requires a principal and keytab file specified in the configuration. The client applications (for example JDBC or beeline) must get a valid Kerberos ticket before initiating a connection to HiveServer2.
Enabling Kerberos Authentication for HiveServer2 To enable Kerberos Authentication for HiveServer2, add the following properties in the /etc/hive/conf/hive-site.xml file:
<property>
<name>hive.server2.authentication</name>
<value>KERBEROS</value>
</property>
<property>
<name>hive.server2.authentication.kerberos.principal</name>
<value>hive/[email protected]</value>
</property>
<property>
<name>hive.server2.authentication.kerberos.keytab</name>
<value>/etc/hive/conf/hive.keytab</value>
</property>
The [email protected] value in the example above is the Kerberos principal for the host where HiveServer2 is running. The special string _HOST in the properties is replaced at run-time by the fully-qualified domain name of the host machine where the daemon is running. This requires that reverse DNS is properly working on all the hosts configured this way. Replace YOUR-REALM.COM with the name of the Kerberos realm your Hadoop cluster is in.
The /etc/hive/conf/hive.keytab value in the example above is a keytab file for that principal.
Note that HiveServer2 accesses the Hadoop cluster using the identity for this Kerberos user and does not impersonate the client user connecting to it (assuming impersonation has not been enabled).
Configuring JDBC Clients for Kerberos Authentication with HiveServer2 JDBC-based clients must include principal= in the JDBC connection string. For example:
String url = "jdbc:hive2://node1:10000/default;principal=hive/[email protected]"
Connection con = DriverManager.getConnection(url);
where HiveServer2Host is the host where HiveServer2 is running.
Upvotes: 1
Related Questions
- How to access hive database from secured kerberos environment using java
- Connect to kerberised hive using jdbc from remote windows system
- Hive JDBC Kerberos Connectivity error
- Connecting to HIVE using JAVA with Cloudera Drivers with Kerberos Authentication
- Exception while connecting to Hive using JDBC and Kerberos authentication
- Hive JDBC connection issues with Kerberos authentication - R
- What is the Kerberos method?
- Understanding how Hadoop client API with Kerberos
- Accessing hive metastore using jdbc with kerberos keytab
- Java - Failed to specify server's Kerberos principal name