10-07-2016 07:41 AM
We have a java app designed to write data into our platform using the Java API HCatWriter.
This app need a connection to the hive mestatore server (I'm not talking about HiveServer2) and fair enough since Kerberos was actived on the platform this particular java app is not working anymore.
It cannot connect to the Hive Metastore Server (the service hosted on the port 9083).
For that particular service, I have a lot of trouble to get some documentation on how we can manage a secured connection with Kerberos.
First of all, I don't know if I should pass the kerberos ticket of the hive user or if I should pass the kerberos ticket of the user running the application.
Then, I don't know how to configure the code in order to pass that ticket.
Does someone has already manage this kind of connection on the Hive Metastore Server ?
10-10-2016 02:17 AM
Ok I managed to connect to the metastore server.
First of all, presenting the kerberos ticket of the "application user" did not work out.
So I tried to present the user "hive" ticket.
Here is the configuration made :
conf = new Configuration(); hiveConf = HCatUtil.getHiveConf(conf); hiveConf.setVar(HiveConf.ConfVars.METASTOREURIS, "<URL_TO_METASTORE>")); hiveConf.setVar(HiveConf.ConfVars.METASTORE_KERBEROS_PRINCIPAL, "hive/_HOST@<KERB_REALM>"); hiveConf.setVar(HiveConf.ConfVars.METASTORE_KERBEROS_KEYTAB_FILE, "<Path_To_Hive_Keytab>"); hiveConf.setVar(HiveConf.ConfVars.METASTORE_USE_THRIFT_SASL, "true"); hiveMetaStoreCli = HCatUtil.getHiveClient(hiveConf);
10-11-2016 01:49 AM
Just found that the bellow line is an extra step not needed.
But also, for the connection to work properly, you need to have a kerberos cache with a proper ticket.
For this, you need to set the variable KRB5CCNAME to target a valid kerberos cache. If you don't, you will see an exception like this :
Caused by: GSSException: No valid credentials provided (Mechanism level: Failed to find any Kerberos tgt)