Support Questions
Find answers, ask questions, and share your expertise
Announcements
Alert: Welcome to the Unified Cloudera Community. Former HCC members be sure to read and learn how to activate your account here.

Connecting to HiveServer2 Interactive / LLAP using DBeaver application via kerberos?

Connecting to HiveServer2 Interactive / LLAP using DBeaver application via kerberos?

New Contributor

I've seen Cloudera documentation point out that the URL template should be:

URL template: jdbc:hive2://{host}:{port}/{database};AuthMech=1;KrbRealm=FOO.BAR;KrbHostFQDN={server};

But that does not seem to be working. What jars are required? Has anyone gotten this working?

Links:

http://justnumbersandthings.com/2017-05-06-Dbeaver-Hive-Kerberos.html

6 REPLIES 6

Re: Connecting to HiveServer2 Interactive / LLAP using DBeaver application via kerberos?

New Contributor

We got this working. For those using Hortonworks HiveServer2 with Kerberos, this is what you need to do (providing your kerberos / kr5.conf is valid on your target host):

Plus signs are for diff representation only.

dbeaver.ini:

-startup
plugins/org.eclipse.equinox.launcher_1.3.201.v20161025-1711.jar
--launcher.library
plugins/org.eclipse.equinox.launcher.win32.win32.x86_64_1.1.401.v20161122-1740
-showsplash
-vmargs
-Xms128m
-Xmx2048m
+ -Djavax.security.auth.useSubjectCredsOnly=false
+ -Djava.security.krb5.conf="krb5.conf"

Place the krb5.conf in the main installation path, or provide a path to it. After debugging for hours, and checking traces and more, this is wall it took.

class name:

org.apache.hive.jdbc.HiveDriver
Dbeaver URL template:
jdbc:hive2://{host}:{port}/{database};principal=hive/{host}.host.com@HOST.COM
Highlighted

Re: Connecting to HiveServer2 Interactive / LLAP using DBeaver application via kerberos?

Contributor
Unexpected driver error occurred while connecting to database
  Can't get Kerberos realm
    
      Cannot locate default realm
      Cannot locate default realm

This is the error I got, and I added only hive jdbc standalone jar.

Re: Connecting to HiveServer2 Interactive / LLAP using DBeaver application via kerberos?

New Contributor

Were you able to resolve this?

Re: Connecting to HiveServer2 Interactive / LLAP using DBeaver application via kerberos?

New Contributor

@Michael DeGuzisGetting error post this configuration:

Unexpected driver error occurred while connecting to database Can't get Kerberos realm Can't get Kerberos realm java.lang.reflect.InvocationTargetException KrbException: Cannot locate default realm Cannot locate default realm

Re: Connecting to HiveServer2 Interactive / LLAP using DBeaver application via kerberos?

New Contributor

We do not yet use this in production due to other items, but I'd suspect your krb.conf should be validated before going further. That is a pretty simple kerberos message.

Re: Connecting to HiveServer2 Interactive / LLAP using DBeaver application via kerberos?

New Contributor

I also met theses errors:

  Can't get Kerberos realm
    
      Cannot locate default realm

 

It was due to the quotes on parameter -Djava.security.krb5.conf.

 

I finally manage to connect my DBeaver to Hive with Kerberos SSL. 

My final dbeaver.ini config was:

--startup
plugins/org.eclipse.equinox.launcher_1.5.400.v20190515-0925.jar
--launcher.library
plugins/org.eclipse.equinox.launcher.gtk.linux.x86_64_1.1.1000.v20190125-2016
-vmargs
-XX:+IgnoreUnrecognizedVMOptions
--add-modules=ALL-SYSTEM
-Xms64m
-Xmx1024m
-Djavax.security.auth.useSubjectCredsOnly=false
-Dsun.security.krb5.debug=true
-Djava.security.krb5.conf=/etc/krb5.conf
-Djava.security.auth.login.config=/home/matthieu/jaas.conf

 

With jaas.conf like that:

Client {
   com.sun.security.auth.module.Krb5LoginModule required
        debug=true
        doNotPrompt=true
        useKeyTab=true
        keyTab="/path/to/user.REALM.keytab"
        useTicketCache=true
        renewTGT=true
        principal="user@REALM"
    ;
};

and JDBC url:

 

jdbc:hive2://{host}:{port}/{database};KrbRealm=MY_REALM;principal=hive/{host}@MY_REALM;ssl=true;sslTrustStore=/path/to/trustore;transportMode=http;httpPath=cliservice;trustStorePassword=changeit