Support Questions
Find answers, ask questions, and share your expertise

Accessing HIVE in Kerberized cluster through Beeline

Expert Contributor

My cluster is kerberized and I am able to access HIVE through beeline from any of the node inside the cluster. I use the following command to connect :

beeline -u 'jdbc:hive2://<Node Name>:10000/default;principal=hive/<Node Name>@MYCOMPANY.CORP'

What I am trying to do is to connect to HIVE from my laptop(Mac OS).

In my MAC, I did "kinit <myuser name>" and it generated a ticket for me, but I do not know where it is stored or where the cache is present. I have beeline client in my laptop and I tried the same command:

beeline -u 'jdbc:hive2://<Node Name>:10000/default;principal=hive/<Node Name>@MYCOMPANY.CORP'

It kicks me out saying "Can't get Kerberos realm (state=08S01,code=0)"

Has anyone connected to HIVE using beeline using kerberos authentication ?

Thanks

Kumar

2 REPLIES 2

Mentor

@Kumar Veerappan

"Can't get Kerberos realm (state=08S01,code=0)" is the expected errors stack, because your Mac OS doesn't know of the REALM.

You will need to copy the file /etc/krb5.conf from your cluster, this file contains the connection information to your REALM. Please have a look at this Mac OS link it should be of help, unfortunately, I am on Windows.

HTH

Hello @Kumar Veerappan!
Looks like you can't reach the REALM.

Check your /etc/krb5.conf, here's my example:

MYMAC:etc vmurakami$ cat /etc/krb5.conf 
[libdefaults]
  renew_lifetime = 7d
  forwardable = true
  default_realm = EXAMPLE.COM
  ticket_lifetime = 24h
  dns_lookup_realm = false
  dns_lookup_kdc = false
  default_ccache_name = /tmp/krb5cc_%{uid}
  #default_tgs_enctypes = aes des3-cbc-sha1 rc4 des-cbc-md5
  #default_tkt_enctypes = aes des3-cbc-sha1 rc4 des-cbc-md5
[domain_realm]
  .example.com = EXAMPLE.COM
  example.com = EXAMPLE.COM
[logging]
  default = FILE:/var/log/krb5kdc.log
  admin_server = FILE:/var/log/kadmind.log
  kdc = FILE:/var/log/krb5kdc.log
[realms]
  EXAMPLE.COM = {
    admin_server = vmurakami-1
    kdc = vmurakami-1
  }

And also, after you got the keytab (if you don't have it, then if it's possible, copy the same keytab valid and used in the HS2 hosts to your mac), check if it's valid with the following command:

[root@vmurakami-1 ~]# klist -ef 
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: zookeeper/vmurakami-1@EXAMPLE.COM

Valid starting       Expires              Service principal
08/15/2018 23:23:31  08/16/2018 23:23:31  krbtgt/EXAMPLE.COM@EXAMPLE.COM
  Flags: FI, Etype (skey, tkt): aes256-cts-hmac-sha1-96, aes256-cts-hmac-sha1-96 

If you're still having issues, please share with us the whole error.

Hope this helps!