Cloudera Community

Support Questions

Find answers, ask questions, and share your expertise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Advanced Search

Kerberos authentication with hive JDBC driver

Labels:
avatar
author-rank majeedk
New Contributor

Created on ‎01-20-2017 04:17 AM - edited ‎09-16-2022 03:55 AM

I am trying to connect to Hive database with Oracle SQL developer using Cloudera Hive JDBC drivers.

I keep getting following error message

 

Status : Failure -Test failed: [Cloudera][HiveJDBCDriver](500164) Error initialized or created transport for authentication: [Cloudera][HiveJDBCDriver](500169) Unable to connect to server: GSS initiate failed.

 

My Hadoop environment has

  • Hive version 1.2.1.2.3
  • Kerberos version 1.10.3-10

I am trying to connect to this Hive database from Windows 7 64-bit machine which has

  • Sqldeveloper version 4.2.0.16.356.1154
  • Cloudera_Hive JDBC4 driver 2.5.18.1050
  • MIT Kerberos app version 4.1

 

Important: Windows machine I am connecting from is on a different domain as that of Hadoop cluster.

 

I have followed instructions from Using SQL Developer to access Apache Hive with kerberos authentication and steps I have performed are.

  1. Imported all the jar files to SQL Developer from the JDBC driver .
  2. Updated Java Crypto jars (local_policy.jar and US_export_policy.jap in sqldeveloper\jdk\jre\lib\security folder) with ones provided in UnlimitedJCEPolicy.zip.
  3. Created an environment variable  KRB5CCNAME whose value is set to C:\sqldeveloper\ktfile.keytab
  4. Installed MIT kerberos 4.1 64-bit app
  5. Acquired valid ticked (via kinit/hrough the app)
  6. Picture below shows the connection details

Hive connection details were:

 

 

Host name: machine.test.group
port: 10010
database: default

Krbservicename: hive
AuthMech: 1
KrbFQDN: machine.test.group
KrbRealm:  dev.mycompany.com

 

Can someone please advise me what I can do to fix the issue and connect to Hive using JDBC drivers.

35,014 Views
0 Kudos
2
8 REPLIES 8

avatar
saranvisa author-rank
Champion

Created ‎01-20-2017 09:22 AM

@majeedk

 

I am using Linux but never tried from windows. Still hope it may give some insights

 

1. Create a keytab (for the source login) in the environment where you have kerberos installed. And keep the keytab file somewhere like /home/user/.auth/example.keytab (Change the path to windows equalent)


2. Create a shell to call the kinit (change the shell, kinit command to windows equalent)
kinit user@REALM -k -t /home/user/.auth/example.keytab


3. Create a cron job (or anyother job which suits for windows) to call the above shell in a frequent interval. Becuase by default, Kerberos ticket will expire in a week, so you need to run a job to kinit the process in a frequent interval

 

Thanks

Kumar

34,703 Views
0 Kudos

avatar
author-rank majeedk
New Contributor

Created on ‎01-26-2017 04:28 AM - edited ‎01-26-2017 04:33 AM

Hi @saranvisa

I have tried your suggestion but I am still getting error while trying to connect to Hive.

 

  • I copied the keytab file from hadoop cluster to my windows machine  (ktfile.keytab)
  • I ran the following command from dir where I copied the keytab file 

 

kinit -k -t ktfile.keytab USER@dev.mycompany.com

 

  • The above commands get a valid ticket and I can view thsi using MIT Kerberos app.
  • After this If I try to connect to Hive database from SQL Developer I get following error. 
Status : Failure -Test failed: [Cloudera][HiveJDBCDriver](500164) Error initialized or created transport for authentication: [Cloudera][HiveJDBCDriver](500169) Unable to connect to server: GSS initiate failed.

I have noticed that the above kinit command appends data to my original keytab file and any subsequent attempts to run the kinit command to get a tickect results in following error.

 

kinit: Unsupported key table format version number while getting initial credentials

 

 

 

34,658 Views
0 Kudos

avatar
saranvisa author-rank
Champion

Created ‎01-26-2017 06:51 AM

@majeedk

 

 

Status : Failure -Test failed: [Cloudera][HiveJDBCDriver](500164) Error initialized or created transport for authentication: [Cloudera][HiveJDBCDriver](500169) Unable to connect to server: GSS initiate failed.

 

The error message that you showed above is the partial (or) full error? If it is partial, then pls check your error message has any keyword like 'krb'... 

 

Ex:
Caused by: GSSException: No valid credentials provided (Mechanism level: Failed to find any Kerberos tgt)
at sun.security.jgss.krb5.Krb5InitCredential.getInstance(Krb5InitCredential.java:147)
at sun.security.jgss.krb5.Krb5MechFactory.getCredentialElement(Krb5MechFactory.java:122)

 

If you don't find any krb related error then pls do not focus on kerberos... instead you can focus on other points like the port has been opened between the environment, etc like that

 

 

34,648 Views
0 Kudos

avatar
author-rank majeedk
New Contributor

Created on ‎01-26-2017 07:44 AM - edited ‎01-26-2017 07:45 AM

 @saranvisa

 

The entire error message I see in Oracle SQL Developer is

 

An error was encountered performing the requested operation:

[Cloudera][HiveJDBCDriver](500164) Error initialized or created transport for authentication: [Cloudera][HiveJDBCDriver](500169) Unable to connect to server: GSS initiate failed.

Vendor code 500164

 

Does it mean it is not kerberos error message?

 

PS: Does having Hadoop cluster (Linux) on different domain than my client machine (Windows) have any bearing on connection?

34,641 Views
0 Kudos

avatar
saranvisa author-rank
Champion

Created ‎01-26-2017 07:56 AM

@majeedk

 

let me put in this way...

1. do you have access to your linux box by any chance. if so pls login and authenticate with your keytab to make sure everything is ok in your keytab.

2. if you don't have access, ask your admin (those who has access) to use your keytab to authenticate and confirm there is no issue with keytab.

3. In the mean time, the error doesn't show anything about kerberos [usually it will show krb issue if you access from the linux box, but i never tried from windows machine, so not sure]. So you need to make sure the Port is open, Firewall related check, etc... to make sure everything is ok other than kerberos issue

34,637 Views
0 Kudos

avatar
author-rank mathieu.d
Super Collaborator

Created on ‎01-27-2017 01:37 AM - edited ‎01-27-2017 06:01 AM

Hi,

 

If you are using the KRB5CCNAME variable it should not target the keytab file. That is the reason you cannot kinit twice with the same keytab.

 

That variable should target the Kerberos ticket cache generated using the keytab or login/password.

 

Also, you need to get a valid Kerberos ticket using the same Kerberos REALM as your Hadoop cluster is using.

 

34,619 Views
0 Kudos

avatar
author-rank ebeb
Expert Contributor

Created ‎08-08-2018 01:41 PM

Hello,
Did you resolve this SQL Developer connection error? If so what was the solution as I have the same issue. Thanks!
27,726 Views
0 Kudos

avatar
author-rank ebeb
Expert Contributor

Created ‎08-13-2018 02:19 PM

This issue was resolved by following the instructions in this site: http://vijayjt.blogspot.com/2016/02/how-to-connect-to-kerberised-chd-hadoop.html

 

We need to copy the Java JCE unlimited strength policy files and the krb5.conf file under jdk/jre/lib/security folder where SQL Developer is installed. After this the Hive connection via Kerberos was successful.

27,579 Views
0 Kudos
Announcements
What's New @ Cloudera
Cloudera Data Engineering 1.23: Access Spark from Your Favor...
What's New @ Cloudera
HBase REST server scaling support is Generally Available
What's New @ Cloudera
New CLI option in the update-database command
What's New @ Cloudera
New Action menu item in the Cloudera Operational Database UI
What's New @ Cloudera
Get the list of supported instance types in the Cloudera Ope...
View More Announcements