We had a need to authenticate user requests against AD in a kerberos enabled cluster, and allow “local” hive sessions to use only a keytab. Below are the examples of each.
First, we show how to connect over a binary TCP transport without knox. Notice the lack of a username and password in the connection string, using only the keytab…
import java.sql.*; import org.apache.hadoop.security.UserGroupInformation; public class hive2 { public static void main (String args[]) { try { org.apache.hadoop.conf.Configuration conf = new org.apache.hadoop.conf.Configuration(); conf.set("hadoop.security.authentication", "Kerberos"); UserGroupInformation.setConfiguration(conf); UserGroupInformation.loginUserFromKeytab("hive/[email protected]", "/etc/security/keytabs/hive.service.keytab"); Class.forName("org.apache.hive.jdbc.HiveDriver"); System.out.println("getting connection"); Connection con = DriverManager.getConnection("jdbc:hive2://ambari2012:10000/;principal=hive/[email protected]"); System.out.println("got connection"); con.close(); } catch (Exception e) { e.printStackTrace(); } } }
..and then with http, again, using only the keytab…
import java.sql.*; import org.apache.hadoop.security.UserGroupInformation; public class hive2 { public static void main (String args[]) { try { org.apache.hadoop.conf.Configuration conf = new org.apache.hadoop.conf.Configuration(); conf.set("hadoop.security.authentication", "Kerberos"); UserGroupInformation.setConfiguration(conf); UserGroupInformation.loginUserFromKeytab("hive/[email protected]", "/etc/security/keytabs/hive.service.keytab"); Class.forName("org.apache.hive.jdbc.HiveDriver"); System.out.println("getting connection"); Connection con = DriverManager.getConnection("jdbc:hive2://ambari2012:10001/;principal=hive/[email protected];transportMode=http;httpPath=cliservice"); System.out.println("got connection"); con.close(); } catch (Exception e) { e.printStackTrace(); } } }
…and with a simple user authentication against knox (notice the lack of a keytab and principal in the URL, but the addition of the username and password)…
import java.sql.*; public class hive2 { public static void main (String args[]) { try { Class.forName("org.apache.hive.jdbc.HiveDriver"); System.out.println("getting connection"); Connection con = DriverManager.getConnection("jdbc:hive2://ambari2012:8443/;ssl=true;transportMode=http;httpPath=gateway/default/hive","showard","********"); System.out.println("got connection"); con.close(); } catch (Exception e) { e.printStackTrace(); } } }
To connect with beeline, you must first kinit the hive service keytab (located under /etc/security/keytabs), then you can connect.
[root@ambari2012 ~]# kinit -kt /etc/security/keytabs/hive.service.keytab hive/[email protected] [root@cmhlpdlkedat01 ~]# klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: hive/[email protected] Valid starting Expires Service principal 06/25/15 23:21:13 06/26/15 09:21:13 krbtgt/[email protected] renew until 07/02/15 23:21:13 [root@ambari2012 ~]# beeline -u "jdbc:hive2://ambari2012:10001/;principal=hive/[email protected];transportMode=http;httpPath=cliservice"
It was surprisingly difficult to get simple examples of each, so hopefully this helps someone.
7 comments for “Examples of connecting to kerberos hive in JDBC”