Cloudera Community

Support Questions

Find answers, ask questions, and share your expertise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Advanced Search

Kerberos authentication issue with hive JDBC driver

avatar
author-rank VeeBabu
New Contributor

Created on ‎01-06-2016 01:56 PM - edited ‎09-16-2022 02:56 AM

Hi

 

I get error when connecting to hiveserver2 with kerberos authentication from windows machine, my settings are as follows

 

Hadoop Cluster - CDH 5.4

Hive JDBC driver - 2.5.15

HostName - hiveserver2

port - 10000 (default)

AuthMech - 1

KrbServiceName - hive

KrbHostFQDN - hiveserver.example.com

KrbRealm - example.com

 

Client environment - windows machine (kerberos in active directory implementation)

 

Error Message - Cloudera HiveJDBCDriver 500164 Error Initialized or created transport for authentication: CONN_KERBEROS_AUTHENTICATION_ERROR_GET_TICKETCACHE

 

Struggling with this for few days, let me know what is missing?

 

regards,VeeBabu

16,280 Views
0 Kudos
4 REPLIES 4

avatar
briantwalter author-rank
Cloudera Employee

Created ‎01-14-2016 12:41 PM

Hi VeeBau,

 

I've seen this issue too on Mac machines and with the Impala JDBC driver.  The answer lies in an environment variable that needs to be set for the Kerberos cache.  This *is* documented for Windows but not for the Mac.  Basically you need to have KRB5CCNAME set to a file path.

 

For Windows this is documented on page 76 of this document: http://www.cloudera.com/content/www/en-us/documentation/other/connectors/hive-jdbc/latest/Cloudera-J...

 

The same is true for the Impala driver on page 13 here: http://www.cloudera.com/content/www/en-us/documentation/other/connectors/impala-jdbc/latest/Cloudera...

 

If you come across this error on a Mac (or Linux - probably, I have not tested) your enviornment needs to be set up prior to the application launch and prior to running kinit in a .profile or similar like so:

 

export KRB5CCNAME=/path/to/some/file

Hope this helps,

Brian

16,245 Views
0 Kudos

avatar
author-rank VeeBabu
New Contributor

Created ‎01-19-2016 08:09 AM

Dear Brian

 

Thank you for your reply. On the windows machine is it possible to point KRB5CCNAME  environment variable to MS Windows LSA cache as I should already have the ticket in LSA as part of the windows active directory authentication. Please let me know if this should work

 

regards,

VeeBabu

16,220 Views
0 Kudos

avatar
briantwalter author-rank
Cloudera Employee

Created ‎01-19-2016 01:18 PM

It looks like the LSA cache usage *is* possible, I personally don't have a Windows machine to test it with however.  From the MIT Kerbeors docs it looks like there are a few other steps to use this cache on Windows and some tools required.  

 

Have a look on this page https://github.com/krb5/krb5/tree/master/src/windows and look for the section titled 'Credentials Cache' for the steps to try it out.

 

Hope this helps.

16,210 Views
0 Kudos

avatar
author-rank evinhas
Explorer

Created ‎10-24-2016 08:52 AM

In linux, according to this

 

http://web.mit.edu/kerberos/www/krb5-1.9/krb5-1.9.4/doc/krb5-admin.html

 

The default kerberos cache files are stored in /tmp folder, they match with this pattern:

 

/tmp/krb5cc_<uid>, where <uid> is your UNIX user-id, represented in decimal format.

 

Hope it helps.

14,921 Views
Announcements
What's New @ Cloudera
Cloudera Data Engineering 1.23: Access Spark from Your Favor...
What's New @ Cloudera
HBase REST server scaling support is Generally Available
What's New @ Cloudera
New CLI option in the update-database command
What's New @ Cloudera
New Action menu item in the Cloudera Operational Database UI
What's New @ Cloudera
Get the list of supported instance types in the Cloudera Ope...
View More Announcements