Reply
New Contributor
Posts: 3
Registered: ‎04-26-2017

Impala - kerberos authentication jdbc

Hi all,

i am trying connect to impala ( v2.6.0-cdh5.8.3) by jdbc with kerberos authentication.

This is my code:

 

public class ImpalaUtil {

private static String jdbcDriver="com.cloudera.impala.jdbc4.Driver";

private static String URL="jdbc:impala://<host_imapal_deamon>:21050;AuthMech=1;KrbRealm=REALM.COM;KrbHostFQDN=<host_impala_deamon>;KrbServiceName=impala";

private ImpalaUtil() {
System.setProperty("sun.security.krb5.debug", "true");
System.setProperty("java.security.krb5.conf", "/etc/krb5.conf");
System.setProperty("java.security.auth.login.config","<paht>/key/jaas.conf");
}

}

This is jaas.conf:

 

Client {
      com.sun.security.auth.module.Krb5LoginModule required
      useKeyTab=true
      doNotPrompt=true
      useTicketCache=true
      principal="myuser@REALM.COM"
      keyTab="/home/tmp/myown.keytab";
   };

I get the following error:

 

 

>>>KinitOptions cache name is /tmp/krb5cc_1000
java.sql.SQLException: [Simba][ImpalaJDBCDriver](500310) Invalid operation: Unable to obtain Principal Name for authentication ;
at com.cloudera.impala.hivecommon.api.HiveServer2ClientFactory.createTransport(HiveServer2ClientFactory.java:224)
at com.cloudera.impala.hivecommon.api.HiveServer2ClientFactory.createClient(HiveServer2ClientFactory.java:52)
at com.cloudera.impala.hivecommon.core.HiveJDBCConnection.connect(HiveJDBCConnection.java:597)
at com.cloudera.impala.jdbc.common.BaseConnectionFactory.doConnect(BaseConnectionFactory.java:219)
at com.cloudera.impala.jdbc.common.AbstractDriver.connect(AbstractDriver.java:216)
at java.sql.DriverManager.getConnection(DriverManager.java:664)
at java.sql.DriverManager.getConnection(DriverManager.java:270)
at eu.factory.connection.hive.ImpalaUtil.connect(ImpalaUtil.java:48)
at eu.factory.connection.hive.ImpalaUtil.connection(ImpalaUtil.java:73)
at eu.factory.statement.ExecuteImpalaQuery.q1(ExecuteImpalaQuery.java:15)
Caused by: com.cloudera.impala.support.exceptions.GeneralException: [Simba][ImpalaJDBCDriver](500310) Invalid operation: Unable to obtain Principal Name for authentication ;
... 10 more
Caused by: javax.security.auth.login.LoginException: Unable to obtain Principal Name for authentication 
at com.sun.security.auth.module.Krb5LoginModule.promptForName(Krb5LoginModule.java:841)
at com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:704)
at com.sun.security.auth.module.Krb5LoginModule.login(Krb5LoginModule.java:617)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at javax.security.auth.login.LoginContext.invoke(LoginContext.java:755)
at javax.security.auth.login.LoginContext.access$000(LoginContext.java:195)
at javax.security.auth.login.LoginContext$4.run(LoginContext.java:682)
at javax.security.auth.login.LoginContext$4.run(LoginContext.java:680)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:680)
at javax.security.auth.login.LoginContext.login(LoginContext.java:587)
at com.cloudera.impala.hivecommon.api.HiveServer2ClientFactory.createTransport(HiveServer2ClientFactory.java:113)
at com.cloudera.impala.hivecommon.api.HiveServer2ClientFactory.createClient(HiveServer2ClientFactory.java:52)
at com.cloudera.impala.hivecommon.core.HiveJDBCConnection.connect(HiveJDBCConnection.java:597)
at com.cloudera.impala.jdbc.common.BaseConnectionFactory.doConnect(BaseConnectionFactory.java:219)
at com.cloudera.impala.jdbc.common.AbstractDriver.connect(AbstractDriver.java:216)
at java.sql.DriverManager.getConnection(DriverManager.java:664)
at java.sql.DriverManager.getConnection(DriverManager.java:270)

 

 

If i start ticket in shell: 

 

> kinit myuser

 

it works properly.

 

 

Any idea?

 

Thanks

 

 

Cloudera Employee
Posts: 26
Registered: ‎12-14-2016

Re: Impala - kerberos authentication jdbc

[ Edited ]

Hi fcausa,

 

I assume that <paht> is just a placeholder and not the literal text in the line setting java.security.auth.login.config. The credential cache will be checked first (jaas.conf has useTicketCache=true) so we'll need to make sure a valid ticket is available first. That is probably why running kinit first works. Also, is the REALM specified for the principal in jaas.conf the same as the default realm specified in krb5.conf (assuming your example of kinit working was with just the base username)?

 

However, for more details on the error, you can also enable debugging messages by adding LogLevel=3;LogPath=<file_path> to the connection string.

Announcements