Support Questions

Find answers, ask questions, and share your expertise

Python3 connection to Kerberos Hbase thrift HTTPS


Hi Community member,

We have Python3 application to connect to Hbase and fetch data.

The connectivity was working fine with Kerberos Hbase Thrift Binary protocol (in TSocket) until the Hadoop team moved the Hadoop system to Cloudera and Cloudera manager which start Kerberos Hbase Thrift in HTTPS mode. 

Now the protocol changed from TSocket to HTTP/HTPS and Python code cannot authenticate using HTTP Client with SASL kerberos.

Current Python version used ins Python 3.6.8

and package versions are 





Working code in TSocket mode:


from thrift.transport import TSocket,TTransport
from thrift.protocol import TBinaryProtocol
from hbase import Hbase
from hbase.ttypes import *
import jprops
from subprocess import call, check_output

with open('/data/properties/') as fp:
properties = jprops.load_properties(fp)

# kerberos ticket
principal = properties["principal"]
kinitCommand = "kinit" + " " + "-kt"+ " " + keyTab + " " + principal
call(kinitCommand, shell="True")

# Hbase connection
def hbase_connection():
#get hbase data
thriftHost = properties["thriftHost"]
hbaseService = properties["hbaseService"]
Tsock = TSocket.TSocket(thriftHost, 9090)
Tsock.setTimeout(2000000) #Milliseconds timeout
transport = TTransport.TSaslClientTransport(
protocol = TBinaryProtocol.TBinaryProtocol(transport)
client = Hbase.Client(protocol)
return client,transport

#get kerberized ticket

client,transport = hbase_connection()




I found that in the code there was a comment it just supports TSocket 


"transport: an underlying transport to use, typically just a TSocket"


We tried to use

but it cannot be used in TTransport.TSaslClientTransport for SASL kerberos.


Please help to suggest if Python cannot be used in CLoudera managed Kerberos Hbase thrift HTTPS and any alternative method to connect Hbase (Kerberos) using Python.






I wanted to update the solution, it may be helpful if any wants to use it.

### Client side python packages

  • six 1.15.0
  • thrift 0.13.0
  • hbase-thrift 0.20.4
  • pykerberos 1.2.1


### Python code
# Prerequsite kinit and kerberos ticket is available for the user
# Hbase thrift running in http protocol secure mode
# Python code to use local kerberos ticket local cache 
# add kerberos context in http header 
# perform hbase client operation like get table , table scan etc
# Important: the httpClient transport opened session will be available only for one time call,
#            for next hbs operation need get new kerberos context (krb_context) by adding header and open session

import kerberos
from thrift import Thrift
from thrift.transport import THttpClient
from thrift.protocol import TBinaryProtocol
from hbase.Hbase import Client
import ssl

def kerberos_auth():
    #service can hbase ot HTTP based on hbase thrift configuration
    __, krb_context = kerberos.authGSSClientInit(hbaseService, principal=clientPrincipal)
    kerberos.authGSSClientStep(krb_context, "")
    negotiate_details = kerberos.authGSSClientResponse(krb_context)
    headers = {'Authorization': 'Negotiate ' + negotiate_details,'Content-Type':'application/binary'}
    return headers

httpClient =  THttpClient.THttpClient('https://<THRIFT_HOST>:9090/', cert_file='<client cert file path>.crt',key_file='<client cert key file path>.key', ssl_context=ssl._create_unverified_context())
# if no ssl verification is required 
# for new session start
protocol = TBinaryProtocol.TBinaryProtocol(httpClient)
client = Client(protocol)
# for new session end


Thanks you,


Rising Star

@manjilhk Thanks for sharing this awesome solution using THttpClient transport, can you let us know which CDH version are you at?

In CDH6.x the TSaslClientTransport is working, but in CDP starter version there's some code changed to cause this transport failed to communicate with secured cluster.

We have released hotfix to this issue, if below KB matches your issue please raise a Cloudera case to apply for this hotfix, or you need to wait for the future release 7.2.11 which will include this fix.

Please see this KB that I posted:


- Will Xiao, Support Engineer
Was your question answered? Make sure to mark the answer as the accepted solution.
If you find a reply useful, click on the thumbs up button.