Support Questions
Find answers, ask questions, and share your expertise
Announcements
Alert: Welcome to the Unified Cloudera Community. Former HCC members be sure to read and learn how to activate your account here.

Java Hive client Kerberos connection issue

Highlighted

Java Hive client Kerberos connection issue

Expert Contributor

HDP-2.5.0.0 using Ambari 2.4.0.1 and having 1.8.0_111 on my desktop.

Using the MIT Ticket Kerberos Mgr., I generated a keytab file on my Windows viz. E:\\ojoqcu.keytab. I am able to connect and query the Hive databases from SQL Developer, also, I can log-in to any of nodes and connect to beeline using the jdbc string used in the code.

I read some good existing threads like this and proceeded with the Java client(executed via Eclipse) to connect to the Hive db, following is the code :

private Connection getHiveConnection() {
org.apache.hadoop.conf.Configuration conf = new org.apache.hadoop.conf.Configuration();
conf.set("hadoop.security.authentication", "Kerberos");
UserGroupInformation.setConfiguration(conf);
Connection con = null;
try {
UserGroupInformation.loginUserFromKeytab(
"ojoqcu@GLOBAL.SCD.COM", "E:\\ojoqcu.keytab");
Class.forName("org.apache.hive.jdbc.HiveDriver");
//System.setProperty("javax.security.auth.useSubjectCredsOnly",
//"false");
//System.setProperty("java.security.krb5.conf", "krb5.conf");
logger.info("getting connection");
con = DriverManager.getConnection("jdbc:hive2://l4373t.sss.com:2181,l4283t.sss.com:2181,l4284t.sss.com:2181/;serviceDiscoveryMode=zooKeeper;zooKeeperNamespace=hiveserver2");

} catch (IOException e) {
logger.error("IOException in getHiveConnection()", e);
} catch (SQLException e) {
logger.error("SQLException in getHiveConnection()", e);
} catch (ClassNotFoundException e) {
logger.error("ClassNotFoundException in getHiveConnection()", e);
}
return con;
}

I get the following Exception :

log4j:WARN No appenders could be found for logger (org.apache.hadoop.metrics2.lib.MutableMetricsFactory).
log4j:WARN Please initialize the log4j system properly.
log4j:WARN See http://logging.apache.org/log4j/1.2/faq.html#noconfig for more info.
[ERROR] 2016-10-21 09:21:27.003 [main] HiveClient - IOException in getHiveConnection()
java.io.IOException: Login failure for ojoqcu@GLOBAL.SCD.COM from keytab E:\ojoqcu.keytab: javax.security.auth.login.LoginException: Unable to obtain password from user
at org.apache.hadoop.security.UserGroupInformation.loginUserFromKeytab(UserGroupInformation.java:987) ~[hadoop-common-2.7.3.2.5.0.0-1245.jar:?]
at com.hadoop.client.hive.HiveClient.getHiveConnection(HiveClient.java:29) [bin/:?]
at com.hadoop.client.hive.HiveClient.main(HiveClient.java:19) [bin/:?]
Caused by: javax.security.auth.login.LoginException: Unable to obtain password from user
at com.sun.security.auth.module.Krb5LoginModule.promptForPass(Krb5LoginModule.java:897) ~[?:1.8.0_71]
at com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:760) ~[?:1.8.0_71]
at com.sun.security.auth.module.Krb5LoginModule.login(Krb5LoginModule.java:617) ~[?:1.8.0_71]
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) ~[?:1.8.0_71]
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) ~[?:1.8.0_71]
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) ~[?:1.8.0_71]
at java.lang.reflect.Method.invoke(Method.java:497) ~[?:1.8.0_71]
at javax.security.auth.login.LoginContext.invoke(LoginContext.java:755) ~[?:1.8.0_71]
at javax.security.auth.login.LoginContext.access$000(LoginContext.java:195) ~[?:1.8.0_71]
at javax.security.auth.login.LoginContext$4.run(LoginContext.java:682) ~[?:1.8.0_71]
at javax.security.auth.login.LoginContext$4.run(LoginContext.java:680) ~[?:1.8.0_71]
at java.security.AccessController.doPrivileged(Native Method) ~[?:1.8.0_71]
at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:680) ~[?:1.8.0_71]
at javax.security.auth.login.LoginContext.login(LoginContext.java:587) ~[?:1.8.0_71]
at org.apache.hadoop.security.UserGroupInformation.loginUserFromKeytab(UserGroupInformation.java:978) ~[hadoop-common-2.7.3.2.5.0.0-1245.jar:?]
... 2 more

What am I missing :

  1. If Zookeeper service discovery is used, is it essential to use a 'principal' in the JDBC string ?
  2. Do I have to set any more system properties to ensure that the java security module works properly ?
1 REPLY 1
Highlighted

Re: Java Hive client Kerberos connection issue

Cloudera Employee

Use this link to connect kerberos hive in JDBC.

Don't have an account?
Coming from Hortonworks? Activate your account here