Support Questions
Find answers, ask questions, and share your expertise
Announcements
Alert: Welcome to the Unified Cloudera Community. Former HCC members be sure to read and learn how to activate your account here.

Impala - kerberos authentication jdbc

Impala - kerberos authentication jdbc

New Contributor

Hi all,

i am trying connect to impala ( v2.6.0-cdh5.8.3) by jdbc with kerberos authentication.

This is my code:

 

public class ImpalaUtil {

private static String jdbcDriver="com.cloudera.impala.jdbc4.Driver";

private static String URL="jdbc:impala://<host_imapal_deamon>:21050;AuthMech=1;KrbRealm=REALM.COM;KrbHostFQDN=<host_impala_deamon>;KrbServiceName=impala";

private ImpalaUtil() {
System.setProperty("sun.security.krb5.debug", "true");
System.setProperty("java.security.krb5.conf", "/etc/krb5.conf");
System.setProperty("java.security.auth.login.config","<paht>/key/jaas.conf");
}

}

This is jaas.conf:

 

Client {
      com.sun.security.auth.module.Krb5LoginModule required
      useKeyTab=true
      doNotPrompt=true
      useTicketCache=true
      principal="myuser@REALM.COM"
      keyTab="/home/tmp/myown.keytab";
   };

I get the following error:

 

 

>>>KinitOptions cache name is /tmp/krb5cc_1000
java.sql.SQLException: [Simba][ImpalaJDBCDriver](500310) Invalid operation: Unable to obtain Principal Name for authentication ;
at com.cloudera.impala.hivecommon.api.HiveServer2ClientFactory.createTransport(HiveServer2ClientFactory.java:224)
at com.cloudera.impala.hivecommon.api.HiveServer2ClientFactory.createClient(HiveServer2ClientFactory.java:52)
at com.cloudera.impala.hivecommon.core.HiveJDBCConnection.connect(HiveJDBCConnection.java:597)
at com.cloudera.impala.jdbc.common.BaseConnectionFactory.doConnect(BaseConnectionFactory.java:219)
at com.cloudera.impala.jdbc.common.AbstractDriver.connect(AbstractDriver.java:216)
at java.sql.DriverManager.getConnection(DriverManager.java:664)
at java.sql.DriverManager.getConnection(DriverManager.java:270)
at eu.factory.connection.hive.ImpalaUtil.connect(ImpalaUtil.java:48)
at eu.factory.connection.hive.ImpalaUtil.connection(ImpalaUtil.java:73)
at eu.factory.statement.ExecuteImpalaQuery.q1(ExecuteImpalaQuery.java:15)
Caused by: com.cloudera.impala.support.exceptions.GeneralException: [Simba][ImpalaJDBCDriver](500310) Invalid operation: Unable to obtain Principal Name for authentication ;
... 10 more
Caused by: javax.security.auth.login.LoginException: Unable to obtain Principal Name for authentication 
at com.sun.security.auth.module.Krb5LoginModule.promptForName(Krb5LoginModule.java:841)
at com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:704)
at com.sun.security.auth.module.Krb5LoginModule.login(Krb5LoginModule.java:617)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at javax.security.auth.login.LoginContext.invoke(LoginContext.java:755)
at javax.security.auth.login.LoginContext.access$000(LoginContext.java:195)
at javax.security.auth.login.LoginContext$4.run(LoginContext.java:682)
at javax.security.auth.login.LoginContext$4.run(LoginContext.java:680)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:680)
at javax.security.auth.login.LoginContext.login(LoginContext.java:587)
at com.cloudera.impala.hivecommon.api.HiveServer2ClientFactory.createTransport(HiveServer2ClientFactory.java:113)
at com.cloudera.impala.hivecommon.api.HiveServer2ClientFactory.createClient(HiveServer2ClientFactory.java:52)
at com.cloudera.impala.hivecommon.core.HiveJDBCConnection.connect(HiveJDBCConnection.java:597)
at com.cloudera.impala.jdbc.common.BaseConnectionFactory.doConnect(BaseConnectionFactory.java:219)
at com.cloudera.impala.jdbc.common.AbstractDriver.connect(AbstractDriver.java:216)
at java.sql.DriverManager.getConnection(DriverManager.java:664)
at java.sql.DriverManager.getConnection(DriverManager.java:270)

 

 

If i start ticket in shell: 

 

> kinit myuser

 

it works properly.

 

 

Any idea?

 

Thanks

 

 

2 REPLIES 2

Re: Impala - kerberos authentication jdbc

Contributor

Hi fcausa,

 

I assume that <paht> is just a placeholder and not the literal text in the line setting java.security.auth.login.config. The credential cache will be checked first (jaas.conf has useTicketCache=true) so we'll need to make sure a valid ticket is available first. That is probably why running kinit first works. Also, is the REALM specified for the principal in jaas.conf the same as the default realm specified in krb5.conf (assuming your example of kinit working was with just the base username)?

 

However, for more details on the error, you can also enable debugging messages by adding LogLevel=3;LogPath=<file_path> to the connection string.

Re: Impala - kerberos authentication jdbc

New Contributor

Cause:
​This issue occurs when the jce jars are not up to date on the client machine and not able to use the encryption key provided by Kerberos kdc.
Solution:
​Download the latest/appropriate jce jars and place them in JAVA_HOME/jre/lib//security. The files are:

US_export_policy.jar
local_policy.jar
These files are dependent on the Java version.