Support Questions
Find answers, ask questions, and share your expertise
Announcements
Alert: Welcome to the Unified Cloudera Community. Former HCC members be sure to read and learn how to activate your account here. Want to know more about what has changed? Check out the Community News blog.

Kerberos : connect to Hive Metastore server from a Java app

Kerberos : connect to Hive Metastore server from a Java app

Super Collaborator

Hi,

 

We have a java app designed to write data into our platform using the Java API HCatWriter.

This app need a connection to the hive mestatore server (I'm not talking about HiveServer2) and fair enough since Kerberos was actived on the platform this particular java app is not working anymore.

 

It cannot connect to the Hive Metastore Server (the service hosted on the port 9083).

 

For that particular service, I have a lot of trouble to get some documentation on how we can manage a secured connection with Kerberos.

First of all, I don't know if I should pass the kerberos ticket of the hive user or if I should pass the kerberos ticket of the user running the application.

 

Then, I don't know how to configure the code in order to pass that ticket.

 

Does someone has already manage this kind of connection on the Hive Metastore Server ?

 

regards,

Mathieu

2 REPLIES 2
Highlighted

Re: Kerberos : connect to Hive Metastore server from a Java app

Super Collaborator

Ok I managed to connect to the metastore server.

 

First of all, presenting the kerberos ticket of the "application user" did not work out.

So I tried to present the user "hive" ticket.

 

It worked.

 

Here is the configuration made :

conf = new Configuration();
hiveConf = HCatUtil.getHiveConf(conf);
hiveConf.setVar(HiveConf.ConfVars.METASTOREURIS, "<URL_TO_METASTORE>"));
hiveConf.setVar(HiveConf.ConfVars.METASTORE_KERBEROS_PRINCIPAL, "hive/_HOST@<KERB_REALM>");
hiveConf.setVar(HiveConf.ConfVars.METASTORE_KERBEROS_KEYTAB_FILE, "<Path_To_Hive_Keytab>");
hiveConf.setVar(HiveConf.ConfVars.METASTORE_USE_THRIFT_SASL, "true");

hiveMetaStoreCli = HCatUtil.getHiveClient(hiveConf);

 

 

 

Re: Kerberos : connect to Hive Metastore server from a Java app

Super Collaborator

Hi,

 

Just found that the bellow line is an extra step not needed.

hiveConf.setVar(HiveConf.ConfVars.METASTORE_KERBEROS_KEYTAB_FILE, "<Path_To_Hive_Keytab>");

 

But also, for the connection to work properly, you need to have a kerberos cache with a proper ticket.

For this, you need to set the variable KRB5CCNAME to target a valid kerberos cache. If you don't, you will see an exception like this :

Caused by: GSSException: No valid credentials provided (Mechanism level: Failed to find any Kerberos tgt)