Support Questions

Find answers, ask questions, and share your expertise

Connecting to HiveServer2 Interactive / LLAP using DBeaver application via kerberos?

avatar
Contributor

I've seen Cloudera documentation point out that the URL template should be:

URL template: jdbc:hive2://{host}:{port}/{database};AuthMech=1;KrbRealm=FOO.BAR;KrbHostFQDN={server};

But that does not seem to be working. What jars are required? Has anyone gotten this working?

Links:

http://justnumbersandthings.com/2017-05-06-Dbeaver-Hive-Kerberos.html

6 REPLIES 6

avatar
Contributor

We got this working. For those using Hortonworks HiveServer2 with Kerberos, this is what you need to do (providing your kerberos / kr5.conf is valid on your target host):

Plus signs are for diff representation only.

dbeaver.ini:

-startup
plugins/org.eclipse.equinox.launcher_1.3.201.v20161025-1711.jar
--launcher.library
plugins/org.eclipse.equinox.launcher.win32.win32.x86_64_1.1.401.v20161122-1740
-showsplash
-vmargs
-Xms128m
-Xmx2048m
+ -Djavax.security.auth.useSubjectCredsOnly=false
+ -Djava.security.krb5.conf="krb5.conf"

Place the krb5.conf in the main installation path, or provide a path to it. After debugging for hours, and checking traces and more, this is wall it took.

class name:

org.apache.hive.jdbc.HiveDriver
Dbeaver URL template:
jdbc:hive2://{host}:{port}/{database};principal=hive/{host}.host.com@HOST.COM

avatar
Contributor
Unexpected driver error occurred while connecting to database
  Can't get Kerberos realm
    
      Cannot locate default realm
      Cannot locate default realm

This is the error I got, and I added only hive jdbc standalone jar.

avatar
New Contributor

Were you able to resolve this?

avatar
New Contributor

@Michael DeGuzisGetting error post this configuration:

Unexpected driver error occurred while connecting to database Can't get Kerberos realm Can't get Kerberos realm java.lang.reflect.InvocationTargetException KrbException: Cannot locate default realm Cannot locate default realm

avatar
Contributor

We do not yet use this in production due to other items, but I'd suspect your krb.conf should be validated before going further. That is a pretty simple kerberos message.

avatar
New Contributor

I also met theses errors:

  Can't get Kerberos realm
    
      Cannot locate default realm

 

It was due to the quotes on parameter -Djava.security.krb5.conf.

 

I finally manage to connect my DBeaver to Hive with Kerberos SSL. 

My final dbeaver.ini config was:

--startup
plugins/org.eclipse.equinox.launcher_1.5.400.v20190515-0925.jar
--launcher.library
plugins/org.eclipse.equinox.launcher.gtk.linux.x86_64_1.1.1000.v20190125-2016
-vmargs
-XX:+IgnoreUnrecognizedVMOptions
--add-modules=ALL-SYSTEM
-Xms64m
-Xmx1024m
-Djavax.security.auth.useSubjectCredsOnly=false
-Dsun.security.krb5.debug=true
-Djava.security.krb5.conf=/etc/krb5.conf
-Djava.security.auth.login.config=/home/matthieu/jaas.conf

 

With jaas.conf like that:

Client {
   com.sun.security.auth.module.Krb5LoginModule required
        debug=true
        doNotPrompt=true
        useKeyTab=true
        keyTab="/path/to/user.REALM.keytab"
        useTicketCache=true
        renewTGT=true
        principal="user@REALM"
    ;
};

and JDBC url:

 

jdbc:hive2://{host}:{port}/{database};KrbRealm=MY_REALM;principal=hive/{host}@MY_REALM;ssl=true;sslTrustStore=/path/to/trustore;transportMode=http;httpPath=cliservice;trustStorePassword=changeit