Support Questions

Find answers, ask questions, and share your expertise

Impala - kerberos authentication jdbc

avatar
New Contributor

Hi all,

i am trying connect to impala ( v2.6.0-cdh5.8.3) by jdbc with kerberos authentication.

This is my code:

 

public class ImpalaUtil {

private static String jdbcDriver="com.cloudera.impala.jdbc4.Driver";

private static String URL="jdbc:impala://<host_imapal_deamon>:21050;AuthMech=1;KrbRealm=REALM.COM;KrbHostFQDN=<host_impala_deamon>;KrbServiceName=impala";

private ImpalaUtil() {
System.setProperty("sun.security.krb5.debug", "true");
System.setProperty("java.security.krb5.conf", "/etc/krb5.conf");
System.setProperty("java.security.auth.login.config","<paht>/key/jaas.conf");
}

}

This is jaas.conf:

 

Client {
      com.sun.security.auth.module.Krb5LoginModule required
      useKeyTab=true
      doNotPrompt=true
      useTicketCache=true
      principal="myuser@REALM.COM"
      keyTab="/home/tmp/myown.keytab";
   };

I get the following error:

 

 

>>>KinitOptions cache name is /tmp/krb5cc_1000
java.sql.SQLException: [Simba][ImpalaJDBCDriver](500310) Invalid operation: Unable to obtain Principal Name for authentication ;
at com.cloudera.impala.hivecommon.api.HiveServer2ClientFactory.createTransport(HiveServer2ClientFactory.java:224)
at com.cloudera.impala.hivecommon.api.HiveServer2ClientFactory.createClient(HiveServer2ClientFactory.java:52)
at com.cloudera.impala.hivecommon.core.HiveJDBCConnection.connect(HiveJDBCConnection.java:597)
at com.cloudera.impala.jdbc.common.BaseConnectionFactory.doConnect(BaseConnectionFactory.java:219)
at com.cloudera.impala.jdbc.common.AbstractDriver.connect(AbstractDriver.java:216)
at java.sql.DriverManager.getConnection(DriverManager.java:664)
at java.sql.DriverManager.getConnection(DriverManager.java:270)
at eu.factory.connection.hive.ImpalaUtil.connect(ImpalaUtil.java:48)
at eu.factory.connection.hive.ImpalaUtil.connection(ImpalaUtil.java:73)
at eu.factory.statement.ExecuteImpalaQuery.q1(ExecuteImpalaQuery.java:15)
Caused by: com.cloudera.impala.support.exceptions.GeneralException: [Simba][ImpalaJDBCDriver](500310) Invalid operation: Unable to obtain Principal Name for authentication ;
... 10 more
Caused by: javax.security.auth.login.LoginException: Unable to obtain Principal Name for authentication 
at com.sun.security.auth.module.Krb5LoginModule.promptForName(Krb5LoginModule.java:841)
at com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:704)
at com.sun.security.auth.module.Krb5LoginModule.login(Krb5LoginModule.java:617)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at javax.security.auth.login.LoginContext.invoke(LoginContext.java:755)
at javax.security.auth.login.LoginContext.access$000(LoginContext.java:195)
at javax.security.auth.login.LoginContext$4.run(LoginContext.java:682)
at javax.security.auth.login.LoginContext$4.run(LoginContext.java:680)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:680)
at javax.security.auth.login.LoginContext.login(LoginContext.java:587)
at com.cloudera.impala.hivecommon.api.HiveServer2ClientFactory.createTransport(HiveServer2ClientFactory.java:113)
at com.cloudera.impala.hivecommon.api.HiveServer2ClientFactory.createClient(HiveServer2ClientFactory.java:52)
at com.cloudera.impala.hivecommon.core.HiveJDBCConnection.connect(HiveJDBCConnection.java:597)
at com.cloudera.impala.jdbc.common.BaseConnectionFactory.doConnect(BaseConnectionFactory.java:219)
at com.cloudera.impala.jdbc.common.AbstractDriver.connect(AbstractDriver.java:216)
at java.sql.DriverManager.getConnection(DriverManager.java:664)
at java.sql.DriverManager.getConnection(DriverManager.java:270)

 

 

If i start ticket in shell: 

 

> kinit myuser

 

it works properly.

 

 

Any idea?

 

Thanks

 

 

4 REPLIES 4

avatar
Rising Star

Hi fcausa,

 

I assume that <paht> is just a placeholder and not the literal text in the line setting java.security.auth.login.config. The credential cache will be checked first (jaas.conf has useTicketCache=true) so we'll need to make sure a valid ticket is available first. That is probably why running kinit first works. Also, is the REALM specified for the principal in jaas.conf the same as the default realm specified in krb5.conf (assuming your example of kinit working was with just the base username)?

 

However, for more details on the error, you can also enable debugging messages by adding LogLevel=3;LogPath=<file_path> to the connection string.

avatar
New Contributor

Cause:
​This issue occurs when the jce jars are not up to date on the client machine and not able to use the encryption key provided by Kerberos kdc.
Solution:
​Download the latest/appropriate jce jars and place them in JAVA_HOME/jre/lib//security. The files are:

US_export_policy.jar
local_policy.jar
These files are dependent on the Java version.

avatar
New Contributor

Hi! 
I am facing the same problem. 
Did you get any resolution for the issue you are facing?

avatar
Community Manager

@itsme as this is an older post, you would have a better chance of receiving a resolution by starting a new thread. This will also be an opportunity to provide details specific to your environment that could aid others in assisting you with a more accurate answer to your question. You can link this thread as a reference in your new post.



Regards,

Vidya Sargur,
Community Manager


Was your question answered? Make sure to mark the answer as the accepted solution.
If you find a reply useful, say thanks by clicking on the thumbs up button.
Learn more about the Cloudera Community: