https://community.cloudera.com/t5/Support-Questions/beeline-in-kerberized-cluster/m-p/159518#M121907 <P>thanks <A rel="user" href="https://community.cloudera.com/users/1198/koenigbodensee.html" nodeid="1198">@Gerd Koenig</A></P> Wed, 21 Sep 2016 16:13:22 GMT avijeetd 2016-09-21T16:13:22Z https://community.cloudera.com/t5/Support-Questions/beeline-in-kerberized-cluster/m-p/159514#M121903 <P>Hi All,</P><P>to connect beeline, the following steps work</P><P>1. kinit as user hr1</P><P>2. beeline connect URL </P><P>!connect jdbc:hive2://localhost:10000/default;principal=hive/securityLab02@XXX.local;auth=kerberos</P><P>Then it asks for user name, password - for which just press enter </P><P>Once we are in, which user is it</P><P>1) is it hr1</P><P>2) is it hive user on behalf of hr1</P><P>3) it is hive user</P><P>whose permissions will work?</P><P>can someone please explain the token delegation that happens here. Also is it the right way to connect using beeline.</P><P>thanks,</P><P>Avijeet</P> Mon, 19 Sep 2016 21:56:35 GMT https://community.cloudera.com/t5/Support-Questions/beeline-in-kerberized-cluster/m-p/159514#M121903 avijeetd 2016-09-19T21:56:35Z https://community.cloudera.com/t5/Support-Questions/beeline-in-kerberized-cluster/m-p/159515#M121904 <P>The user that has the kerberos ticket will be the authenticated user </P><P>you can confirm </P><P>kdestroy</P><P>kinit as hr1 </P><P>then klist to check </P><P>then beeline </P><P>beeline -u ' jdbc:hive2://localhost:10000/default;<A href="mailto:principal=hive/securityLab02@XXX.local">principal=hive/securityLab02@XXX.local</A>'</P><P>all actions will be of the authenticated user via kerberos </P><P>please see this article </P><P><A href="https://community.hortonworks.com/questions/22897/kerberos-principal-should-have-3-parts.html" target="_blank">https://community.hortonworks.com/questions/22897/kerberos-principal-should-have-3-parts.html</A></P> Mon, 19 Sep 2016 22:25:11 GMT https://community.cloudera.com/t5/Support-Questions/beeline-in-kerberized-cluster/m-p/159515#M121904 mthiele1 2016-09-19T22:25:11Z https://community.cloudera.com/t5/Support-Questions/beeline-in-kerberized-cluster/m-p/159516#M121905 <P>thanks @mthiele</P><P>However I noticed while doing a HIVE command - the permissions of hive service principal is taking precedence over the authenticated user </P><P>load data inpath '/tmp/sample_07.csv' into table sample_07;</P> Tue, 20 Sep 2016 11:47:51 GMT https://community.cloudera.com/t5/Support-Questions/beeline-in-kerberized-cluster/m-p/159516#M121905 avijeetd 2016-09-20T11:47:51Z https://community.cloudera.com/t5/Support-Questions/beeline-in-kerberized-cluster/m-p/159517#M121906 <P>Hi <A rel="user" href="https://community.cloudera.com/users/11016/avijeetd.html" nodeid="11016">@Avijeet Dash</A>, </P><P>do you have impersonation enabled ('doAs') ?</P><P>check <A target="_blank" href="http://hortonworks.com/blog/best-practices-for-hive-authorization-using-apache-ranger-in-hdp-2-2/">this</A> out, hth....</P> Tue, 20 Sep 2016 17:28:08 GMT https://community.cloudera.com/t5/Support-Questions/beeline-in-kerberized-cluster/m-p/159517#M121906 geko 2016-09-20T17:28:08Z https://community.cloudera.com/t5/Support-Questions/beeline-in-kerberized-cluster/m-p/159518#M121907 <P>thanks <A rel="user" href="https://community.cloudera.com/users/1198/koenigbodensee.html" nodeid="1198">@Gerd Koenig</A></P> Wed, 21 Sep 2016 16:13:22 GMT https://community.cloudera.com/t5/Support-Questions/beeline-in-kerberized-cluster/m-p/159518#M121907 avijeetd 2016-09-21T16:13:22Z