Hadoop, Hive, Java

Examples of connecting to kerberos hive in JDBC

by  •  • 7 Comments

We had a need to authenticate user requests against AD in a kerberos enabled cluster, and allow “local” hive sessions to use only a keytab. Below are the examples of each.

First, we show how to connect over a binary TCP transport without knox. Notice the lack of a username and password in the connection string, using only the keytab…

import java.sql.*;
import org.apache.hadoop.security.UserGroupInformation;

public class hive2 {
  public static void main (String args[]) {
    try {
      org.apache.hadoop.conf.Configuration conf = new     org.apache.hadoop.conf.Configuration();
      conf.set("hadoop.security.authentication", "Kerberos");
      UserGroupInformation.setConfiguration(conf);
      UserGroupInformation.loginUserFromKeytab("hive/[email protected]", "/etc/security/keytabs/hive.service.keytab");
      Class.forName("org.apache.hive.jdbc.HiveDriver");
      System.out.println("getting connection");
      Connection con = DriverManager.getConnection("jdbc:hive2://ambari2012:10000/;principal=hive/[email protected]");
      System.out.println("got connection");
      con.close();
    }
    catch (Exception e) {
      e.printStackTrace();
    }
  }
}

..and then with http, again, using only the keytab…

import java.sql.*;
import org.apache.hadoop.security.UserGroupInformation;

public class hive2 {
  public static void main (String args[]) {
    try {
      org.apache.hadoop.conf.Configuration conf = new org.apache.hadoop.conf.Configuration();
      conf.set("hadoop.security.authentication", "Kerberos");
      UserGroupInformation.setConfiguration(conf);
      UserGroupInformation.loginUserFromKeytab("hive/[email protected]", "/etc/security/keytabs/hive.service.keytab");
      Class.forName("org.apache.hive.jdbc.HiveDriver");
      System.out.println("getting connection");
      Connection con = DriverManager.getConnection("jdbc:hive2://ambari2012:10001/;principal=hive/[email protected];transportMode=http;httpPath=cliservice");
      System.out.println("got connection");
      con.close();
    }
    catch (Exception e) {
      e.printStackTrace();
    }
  }
}

…and with a simple user authentication against knox (notice the lack of a keytab and principal in the URL, but the addition of the username and password)…

import java.sql.*;

public class hive2 {
  public static void main (String args[]) {
    try {
      Class.forName("org.apache.hive.jdbc.HiveDriver");
      System.out.println("getting connection");
      Connection con = DriverManager.getConnection("jdbc:hive2://ambari2012:8443/;ssl=true;transportMode=http;httpPath=gateway/default/hive","showard","********");
      System.out.println("got connection");
      con.close();
    }
    catch (Exception e) {
      e.printStackTrace();
    }
  }
}

To connect with beeline, you must first kinit the hive service keytab (located under /etc/security/keytabs), then you can connect.

[root@ambari2012 ~]# kinit -kt /etc/security/keytabs/hive.service.keytab hive/[email protected]
[root@cmhlpdlkedat01 ~]# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: hive/[email protected]

Valid starting     Expires            Service principal
06/25/15 23:21:13  06/26/15 09:21:13  krbtgt/[email protected]
        renew until 07/02/15 23:21:13
[root@ambari2012 ~]# beeline -u "jdbc:hive2://ambari2012:10001/;principal=hive/[email protected];transportMode=http;httpPath=cliservice"

It was surprisingly difficult to get simple examples of each, so hopefully this helps someone.

7 comments for “Examples of connecting to kerberos hive in JDBC

  1. Pingback: [SOLVED] Issue connecting to Hive using JDBC with Kerberos authentication JTuto

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.