Support Questions
Find answers, ask questions, and share your expertise

Kerberos hive authentication question

Master Collaborator

I have created a principal for myself called sami just like hive principal created by ambari (see below) . I also get a ticket and I have added my username 'sami' to the Ranger HIVE policy in ambari .

what I am not understanding are two things:

a) I can login into hive using hive principal ? I should not be allowed to use other principals

!connect jdbc:hive2://hadoop2:10000/default;principal=hive/hadoop2@MY.COM
Driver: Hive JDBC (version 1.2.1000.2.5.0.0-1245)
Transaction isolation: TRANSACTION_REPEATABLE_READ

b) If I try to use my principal i.e sami I don't get connection ,what I am missing ?

!connect jdbc:hive2://hadoop2:10000/default;principal=hive/hadoop2@MY.COM
Error: Could not open client transport with JDBC Uri: jdbc:hive2://hadoop2:10000/default;principal=sami/hadoop2@MY.COM: Peer indicated failure: GSS initiate failed (state=08S01,code=0)


sami/hadoop2.my.com@MY.COM
sami/hadoop2@MY.COM
sami@MY.COM
kadmin.local:
kadmin.local:  listprincs hive*
hive/admin@MY.COM
hive/hadoop1.my.com@MY.COM
hive/hadoop2.my.com@MY.COM
hive/hadoop3.my.com@MY.COM
hive/hadoop4.my.com@MY.COM
hive/hadoop5.my.com@MY.COM
hive@MY.COM
5 REPLIES 5

Re: Kerberos hive authentication question

Super Collaborator

@Sami Ahmad

First kinit with your user principal

#kinit sami@MY.COM

And try connecting

!connect jdbc:hive2://hadoop2.my.com:10000/default;principal=hive/hadoop2.my.com@MY.COM

Re: Kerberos hive authentication question

Master Collaborator

I did kinit as I mentioned earlier , I can see the ticket with klist also.

but why use principal "hive" and not "sami" ?

Re: Kerberos hive authentication question

New Contributor

@Sami Ahmad

First you have to do kinit with principal(user) having credential and when you try to connect to hive server, it will ask for user and password. At that time you have to enter user (which is present on ranger-service (ranger database)) credential. For the same, please find the screen-shot.

9982-hive-connection.png

Re: Kerberos hive authentication question

Master Collaborator

once I do the kinit , I can connect to the hive server by not even entering the password , as username I enter hive.

from web I understand that this username that beeline asks is not needed ? why does it let me connect otherwise even me entering bogus password?

Re: Kerberos hive authentication question

Master Collaborator

as you see I can connect to the hiveserver2 even by giving wrong username and password , so whats the use of this username?

-bash-4.1$ klist
Ticket cache: FILE:/tmp/krb5cc_600
Default principal: sami@MY.COM
Valid starting     Expires            Service principal
11/30/16 23:22:44  12/01/16 23:22:44  krbtgt/MY.COM@MY.COM
        renew until 11/30/16 23:22:44
-bash-4.1$
-bash-4.1$ beeline
Beeline version 1.2.1000.2.5.0.0-1245 by Apache Hive
beeline> !connect jdbc:hive2://hadoop2:10000/default;principal=hive/hadoop2@MY.COM
Connecting to jdbc:hive2://hadoop2:10000/default;principal=hive/hadoop2@MY.COM
Enter username for jdbc:hive2://hadoop2:10000/default;principal=hive/hadoop2@MY.COM: abcd
Enter password for jdbc:hive2://hadoop2:10000/default;principal=hive/hadoop2@MY.COM: *****
Connected to: Apache Hive (version 1.2.1000.2.5.0.0-1245)
Driver: Hive JDBC (version 1.2.1000.2.5.0.0-1245)
Transaction isolation: TRANSACTION_REPEATABLE_READ
0: jdbc:hive2://hadoop2:10000/default> show  tables;
+---------------+--+
|   tab_name    |
+---------------+--+
| customers     |
| employee      |
| load_tweets   |
| tab1          |
| tweets        |
| twitterdata2  |
+---------------+--+
6 rows selected (0.109 seconds)
0: jdbc:hive2://hadoop2:10000/default>