Cloudera Community

Support Questions

Find answers, ask questions, and share your expertise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Advanced Search

Accessing HIVE in Kerberized cluster through Beeline

Labels:
avatar
author-rank kums
Expert Contributor

Created ‎08-15-2018 07:55 PM

My cluster is kerberized and I am able to access HIVE through beeline from any of the node inside the cluster. I use the following command to connect :

beeline -u 'jdbc:hive2://<Node Name>:10000/default;principal=hive/<Node Name>@MYCOMPANY.CORP'

What I am trying to do is to connect to HIVE from my laptop(Mac OS).

In my MAC, I did "kinit <myuser name>" and it generated a ticket for me, but I do not know where it is stored or where the cache is present. I have beeline client in my laptop and I tried the same command:

beeline -u 'jdbc:hive2://<Node Name>:10000/default;principal=hive/<Node Name>@MYCOMPANY.CORP'

It kicks me out saying "Can't get Kerberos realm (state=08S01,code=0)"

Has anyone connected to HIVE using beeline using kerberos authentication ?

Thanks

Kumar

3,791 Views
0 Kudos
2 REPLIES 2

avatar
author-rank Shelton
Master Mentor

Created ‎08-15-2018 11:02 PM

@Kumar Veerappan

"Can't get Kerberos realm (state=08S01,code=0)" is the expected errors stack, because your Mac OS doesn't know of the REALM.

You will need to copy the file /etc/krb5.conf from your cluster, this file contains the connection information to your REALM. Please have a look at this Mac OS link it should be of help, unfortunately, I am on Windows.

HTH

3,236 Views
0 Kudos

avatar
author-rank vmurakami
Guru

Created ‎08-15-2018 11:29 PM

Hello @Kumar Veerappan!
Looks like you can't reach the REALM.

Check your /etc/krb5.conf, here's my example:

MYMAC:etc vmurakami$ cat /etc/krb5.conf 
[libdefaults]
  renew_lifetime = 7d
  forwardable = true
  default_realm = EXAMPLE.COM
  ticket_lifetime = 24h
  dns_lookup_realm = false
  dns_lookup_kdc = false
  default_ccache_name = /tmp/krb5cc_%{uid}
  #default_tgs_enctypes = aes des3-cbc-sha1 rc4 des-cbc-md5
  #default_tkt_enctypes = aes des3-cbc-sha1 rc4 des-cbc-md5
[domain_realm]
  .example.com = EXAMPLE.COM
  example.com = EXAMPLE.COM
[logging]
  default = FILE:/var/log/krb5kdc.log
  admin_server = FILE:/var/log/kadmind.log
  kdc = FILE:/var/log/krb5kdc.log
[realms]
  EXAMPLE.COM = {
    admin_server = vmurakami-1
    kdc = vmurakami-1
  }

And also, after you got the keytab (if you don't have it, then if it's possible, copy the same keytab valid and used in the HS2 hosts to your mac), check if it's valid with the following command:

[root@vmurakami-1 ~]# klist -ef 
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: zookeeper/vmurakami-1@EXAMPLE.COM

Valid starting       Expires              Service principal
08/15/2018 23:23:31  08/16/2018 23:23:31  krbtgt/EXAMPLE.COM@EXAMPLE.COM
  Flags: FI, Etype (skey, tkt): aes256-cts-hmac-sha1-96, aes256-cts-hmac-sha1-96

If you're still having issues, please share with us the whole error.

Hope this helps!

3,236 Views
0 Kudos
Announcements
What's New @ Cloudera
Cloudera Data Engineering 1.23: Access Spark from Your Favor...
What's New @ Cloudera
HBase REST server scaling support is Generally Available
What's New @ Cloudera
New CLI option in the update-database command
What's New @ Cloudera
New Action menu item in the Cloudera Operational Database UI
What's New @ Cloudera
Get the list of supported instance types in the Cloudera Ope...
View More Announcements