Cloudera Community

Community Articles

Find and share helpful community-sourced technical articles.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Advanced Search

Knox with kerberos authentication to proxy to hive

Labels (2)
avatar
author-rank dvillarreal
Guru

Created on ‎05-23-2018 02:22 AM

Example topology for kerberos auth and hive:

[root@groot1 hive]# cat /etc/knox/2.6.0.3-8/0/topologies/kerberos.xml        
<topology>
    <gateway>
        <provider>
            <role>authentication</role>
            <name>HadoopAuth</name>
            <enabled>true</enabled>
            <param>
                <name>config.prefix</name>
                <value>hadoop.auth.config</value>
            </param>
            <param>
                <name>hadoop.auth.config.signature.secret</name>
                <value>hadoop12345!</value>
            </param>
            <param>
                <name>hadoop.auth.config.type</name>
                <value>kerberos</value>
            </param>
            <param>
                <name>hadoop.auth.config.simple.anonymous.allowed</name>
                <value>false</value>
            </param>
            <param>
                <name>hadoop.auth.config.token.validity</name>
                <value>1800</value>
            </param>
            <param>
                <name>hadoop.auth.config.cookie.domain</name>
                <value>openstacklocal</value>
            </param>
            <param>
                <name>hadoop.auth.config.cookie.path</name>
                <value>/gateway/kerberos/hive</value>
            </param>
            <param>
                <name>hadoop.auth.config.kerberos.principal</name>
                <value>HTTP/groot1.openstacklocal@SUPPORT.COM</value>
            </param>
            <param>
                <name>hadoop.auth.config.kerberos.keytab</name>
                <value>/etc/security/keytabs/spnego.service.keytab</value>
            </param>
            <param>
                <name>hadoop.auth.config.kerberos.name.rules</name>
                <value>DEFAULT</value>
            </param>
        </provider>
        <provider>
            <role>identity-assertion</role>
            <name>Default</name>
            <enabled>true</enabled>
        </provider>
        <provider>
            <role>authorization</role>
            <name>AclsAuthz</name>
            <enabled>false</enabled>
        </provider>
    </gateway>
    <service>
        <role>NAMENODE</role>
        <url>hdfs://groot1.openstacklocal:8020</url>
    </service>
    <service>
        <role>JOBTRACKER</role>
        <url>rpc://master2.openstacklocal:8050</url>
    </service>
    <service>
        <role>WEBHDFS</role>
        <url>http://groot1.openstacklocal:50070/webhdfs</url>
    </service>
    <service>
        <role>WEBHCAT</role>
        <url>http://master2.openstacklocal:50111/templeton</url>
    </service>
    <service>
        <role>HIVE</role>
        <url>http://groot1.openstacklocal:10001/cliservice</url>
    </service>
    <service>
        <role>RESOURCEMANAGER</role>
        <url>http://master2.openstacklocal:8088/ws</url>
    </service>
</topology>

Example of how to use it: (Don't forget to have knox proxy settings for core-site.xml and if you run into troubles restart both hive and knox.)

[root@groot1 hive]# kinit dvillarreal
Password for dvillarreal@SUPPORT.COM:
[root@groot1 hive]# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: dvillarreal@SUPPORT.COM
Valid starting     Expires            Service principal
05/22/18 22:54:43  05/23/18 08:54:40  krbtgt/SUPPORT.COM@SUPPORT.COM
	renew until 05/29/18 22:54:43
[root@groot1 hive]# beeline
Beeline version 1.2.1000.2.6.0.3-8 by Apache Hive
beeline> !connect jdbc:hive2://groot1.openstacklocal:8443/;ssl=true;principal=HTTP/_HOST@SUPPORT.COM;transportMode=http;httpPath=gateway/kerberos/hive
Connecting to jdbc:hive2://groot1.openstacklocal:8443/;ssl=true;principal=HTTP/_HOST@SUPPORT.COM;transportMode=http;httpPath=gateway/kerberos/hive
Enter username for jdbc:hive2://groot1.openstacklocal:8443/;ssl=true;principal=HTTP/_HOST@SUPPORT.COM;transportMode=http;httpPath=gateway/kerberos/hive:
Enter password for jdbc:hive2://groot1.openstacklocal:8443/;ssl=true;principal=HTTP/_HOST@SUPPORT.COM;transportMode=http;httpPath=gateway/kerberos/hive:
Connected to: Apache Hive (version 1.2.1000.2.6.0.3-8)
Driver: Hive JDBC (version 1.2.1000.2.6.0.3-8)
Transaction isolation: TRANSACTION_REPEATABLE_READ
0: jdbc:hive2://groot1.openstacklocal:8443/> show databases;
+----------------+--+
| database_name  |
+----------------+--+
| default        |
+----------------+--+
1 row selected (8.169 seconds)
6,140 Views
Comments

Re: Knox with kerberos authentication to proxy to hive

avatar
author-rank jknulst author-rank
Super Collaborator

Created on ‎10-15-2018 12:06 PM

@dvillarreal Thanks for this, very useful!

Changing the principal on the beeline connect string to "principal=HTTP/_HOST@SUPPORT.COM" is something I forgot implementing this hiveserver2 access pattern

Re: Knox with kerberos authentication to proxy to hive

avatar
author-rank dvillarreal
Guru

Created on ‎10-15-2018 03:23 PM

My pleasure!

@Jasper

Re: Knox with kerberos authentication to proxy to hive

avatar
author-rank dvillarreal
Guru

Created on ‎10-15-2018 03:23 PM

My pleasure!

@Jasper

Announcements
What's New @ Cloudera
Cloudera DataFlow 2.9 now supports building GenAI pipelines ...
What's New @ Cloudera
Accelerate Data Scientist Productivity with Cloudera Copilot...
What's New @ Cloudera
[RELEASED] Cloudera Streaming Analytics - Kubernetes Operato...
Community Announcements
October 2024 Community Highlights
What's New @ Cloudera
Accelerate Your AI with the Cloudera AI Inference Service wi...
View More Announcements
Version history
Last update:
‎05-23-2018 02:22 AM
Updated by:
Guru
Contributors