{"id":4938,"date":"2015-06-18T13:38:41","date_gmt":"2015-06-18T18:38:41","guid":{"rendered":"http:\/\/appcrawler.com\/wordpress\/?p=4938"},"modified":"2015-06-25T22:30:04","modified_gmt":"2015-06-26T03:30:04","slug":"examples-of-connecting-to-kerberos-hive-in-jdbc","status":"publish","type":"post","link":"http:\/\/appcrawler.com\/wordpress\/2015\/06\/18\/examples-of-connecting-to-kerberos-hive-in-jdbc\/","title":{"rendered":"Examples of connecting to kerberos hive in JDBC"},"content":{"rendered":"

We had a need to authenticate user requests against AD in a kerberos enabled cluster, and allow “local” hive sessions to use only a keytab. Below are the examples of each.<\/p>\n

First, we show how to connect over a binary TCP transport without knox. Notice the lack of a username and password in the connection string, using only the keytab…<\/p>\n

\r\nimport java.sql.*;\r\nimport org.apache.hadoop.security.UserGroupInformation;\r\n\r\npublic class hive2 {\r\n  public static void main (String args[]) {\r\n    try {\r\n      org.apache.hadoop.conf.Configuration conf = new     org.apache.hadoop.conf.Configuration();\r\n      conf.set(\"hadoop.security.authentication\", \"Kerberos\");\r\n      UserGroupInformation.setConfiguration(conf);\r\n      UserGroupInformation.loginUserFromKeytab(\"hive\/ambari2012.howard2012.local@HOWARD2012.LOCAL\", \"\/etc\/security\/keytabs\/hive.service.keytab\");\r\n      Class.forName(\"org.apache.hive.jdbc.HiveDriver\");\r\n      System.out.println(\"getting connection\");\r\n      Connection con = DriverManager.getConnection(\"jdbc:hive2:\/\/ambari2012:10000\/;principal=hive\/ambari2012.howard2012.local@HOWARD2012.LOCAL\");\r\n      System.out.println(\"got connection\");\r\n      con.close();\r\n    }\r\n    catch (Exception e) {\r\n      e.printStackTrace();\r\n    }\r\n  }\r\n}\r\n<\/pre>\n
..and then with http, again, using only the keytab…<\/p>\n
\r\nimport java.sql.*;\r\nimport org.apache.hadoop.security.UserGroupInformation;\r\n\r\npublic class hive2 {\r\n\u00a0 public static void main (String args[]) {\r\n\u00a0\u00a0\u00a0 try {\r\n\u00a0\u00a0\u00a0\u00a0\u00a0 org.apache.hadoop.conf.Configuration conf = new org.apache.hadoop.conf.Configuration();\r\n\u00a0\u00a0\u00a0\u00a0\u00a0 conf.set(\"hadoop.security.authentication\", \"Kerberos\");\r\n\u00a0\u00a0\u00a0\u00a0\u00a0 UserGroupInformation.setConfiguration(conf);\r\n\u00a0\u00a0\u00a0\u00a0\u00a0 UserGroupInformation.loginUserFromKeytab(\"hive\/ambari2012.howard2012.local@HOWARD2012.LOCAL\", \"\/etc\/security\/keytabs\/hive.service.keytab\");\r\n\u00a0\u00a0\u00a0\u00a0\u00a0 Class.forName(\"org.apache.hive.jdbc.HiveDriver\");\r\n\u00a0\u00a0\u00a0\u00a0\u00a0 System.out.println(\"getting connection\");\r\n\u00a0\u00a0\u00a0\u00a0\u00a0 Connection con = DriverManager.getConnection(\"jdbc:hive2:\/\/ambari2012:10001\/;principal=hive\/ambari2012.howard2012.local@HOWARD2012.LOCAL;transportMode=http;httpPath=cliservice\");\r\n\u00a0\u00a0\u00a0\u00a0\u00a0 System.out.println(\"got connection\");\r\n\u00a0\u00a0\u00a0\u00a0\u00a0 con.close();\r\n\u00a0\u00a0\u00a0 }\r\n\u00a0\u00a0\u00a0 catch (Exception e) {\r\n\u00a0\u00a0\u00a0\u00a0\u00a0 e.printStackTrace();\r\n\u00a0\u00a0\u00a0 }\r\n\u00a0 }\r\n}\r\n<\/pre>\n
…and with a simple user authentication against knox (notice the lack of a keytab and principal in the URL, but the addition of the username and password)…<\/p>\n
\r\nimport java.sql.*;\r\n\r\npublic class hive2 {\r\n\u00a0 public static void main (String args[]) {\r\n\u00a0\u00a0\u00a0 try {\r\n\u00a0\u00a0\u00a0\u00a0\u00a0 Class.forName(\"org.apache.hive.jdbc.HiveDriver\");\r\n\u00a0\u00a0\u00a0\u00a0\u00a0 System.out.println(\"getting connection\");\r\n\u00a0\u00a0\u00a0\u00a0\u00a0 Connection con = DriverManager.getConnection(\"jdbc:hive2:\/\/ambari2012:8443\/;ssl=true;transportMode=http;httpPath=gateway\/default\/hive\",\"showard\",\"********\");\r\n\u00a0\u00a0\u00a0\u00a0\u00a0 System.out.println(\"got connection\");\r\n\u00a0\u00a0\u00a0\u00a0\u00a0 con.close();\r\n\u00a0\u00a0\u00a0 }\r\n\u00a0\u00a0\u00a0 catch (Exception e) {\r\n\u00a0\u00a0\u00a0\u00a0\u00a0 e.printStackTrace();\r\n\u00a0\u00a0\u00a0 }\r\n\u00a0 }\r\n}\r\n<\/pre>\n
To connect with beeline, you must first kinit the hive service keytab (located under \/etc\/security\/keytabs), then you can connect.<\/p>\n
\r\n[root@ambari2012 ~]# kinit -kt \/etc\/security\/keytabs\/hive.service.keytab hive\/ambari2012.howard2012.local@HOWARD2012.LOCAL\r\n[root@cmhlpdlkedat01 ~]# klist\r\nTicket cache: FILE:\/tmp\/krb5cc_0\r\nDefault principal: hive\/ambari2012.howard2012.local@HOWARD2012.LOCAL\r\n\r\nValid starting     Expires            Service principal\r\n06\/25\/15 23:21:13  06\/26\/15 09:21:13  krbtgt\/HOWARD2012.LOCAL@HOWARD2012.LOCAL\r\n        renew until 07\/02\/15 23:21:13\r\n[root@ambari2012 ~]# beeline -u \"jdbc:hive2:\/\/ambari2012:10001\/;principal=hive\/ambari2012.howard2012.local@HOWARD2012.LOCAL;transportMode=http;httpPath=cliservice\"\r\n<\/pre>\n
It was surprisingly difficult to get simple examples of each, so hopefully this helps someone.<\/p>\n","protected":false},"excerpt":{"rendered":"
We had a need to authenticate user requests against AD in a kerberos enabled cluster, and allow “local” hive sessions to use only a keytab. Below are the examples of each. First, we show how to connect over a binary…<\/p>\n
Read more →<\/a><\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_mi_skip_tracking":false,"footnotes":""},"categories":[21,43,25],"tags":[],"_links":{"self":[{"href":"http:\/\/appcrawler.com\/wordpress\/wp-json\/wp\/v2\/posts\/4938"}],"collection":[{"href":"http:\/\/appcrawler.com\/wordpress\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/appcrawler.com\/wordpress\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/appcrawler.com\/wordpress\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"http:\/\/appcrawler.com\/wordpress\/wp-json\/wp\/v2\/comments?post=4938"}],"version-history":[{"count":10,"href":"http:\/\/appcrawler.com\/wordpress\/wp-json\/wp\/v2\/posts\/4938\/revisions"}],"predecessor-version":[{"id":4957,"href":"http:\/\/appcrawler.com\/wordpress\/wp-json\/wp\/v2\/posts\/4938\/revisions\/4957"}],"wp:attachment":[{"href":"http:\/\/appcrawler.com\/wordpress\/wp-json\/wp\/v2\/media?parent=4938"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/appcrawler.com\/wordpress\/wp-json\/wp\/v2\/categories?post=4938"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/appcrawler.com\/wordpress\/wp-json\/wp\/v2\/tags?post=4938"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}