connexion to hive with hortonworks odbc

v_yernaux · ‎09-06-2018

Hello,

I tried to connect hive from a windows server via odbc but without success.

My cluster hadoop is kerberized, hive port is 10000 and is open between windows and all the cluster (I did a telnet serverhive2 10000 and it works)

I download HortonworksHiveODBC64.msi and install it.

I tried a lot of combination of parameters on "hortons Hive ODBC Driver DSN setup", none of them works, for sample this setting:

give me this error:

[Hortonworks][Hardy] (34) Error from server: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Permission denied).

[Hortonworks][Hardy] (34) Error from server: SASL(0): successful result: .

what have I to do to set correctly my odbc driver

vmurakami · ‎09-06-2018

Hello @vincent yernaux!
Guess you've something wrong with your Kerberos credentials/configuration.
Are you able to do a kinit on windows? If so, did you check the krb5.conf, credentials?
For further details check the Appendix A of the documentation below:

https://hortonworks.com/wp-content/uploads/2013/04/Hortonworks-Hive-ODBC-Driver-User-Guide.pdf

Hope this helps!

v_yernaux · ‎09-07-2018

Hello,

that's possible, there is may be something wrong with my kerberos setting on the windows server. when I try kinit, I got this:

c:\Program Files\MIT\Kerberos\bin>set KRB5_CONFIG="C:\Program Files\MIT\Kerberos\"
c:\Program Files\MIT\Kerberos\bin>set KRB5CCNAME=%USERPROFILE%\krb5cache
c:\Program Files\MIT\Kerberos\bin>"c:\Program Files\MIT\Kerberos\bin\kinit.exe"
kinit.exe: Configuration file does not specify default realm when parsing name vyea

however, in c:\Program Files\MIT\kerberos\krb5.conf, I have this:

[libdefaults]
  renew_lifetime = 7d
  forwardable = true
  default_realm = toto.org
  ticket_lifetime = 24h
  dns_lookup_realm = false
  dns_lookup_kdc = false
  default_ccache_name = c:\temp\krb5cache\krb5cc_%{uid}
  #default_tgs_enctypes = aes des3-cbc-sha1 rc4 des-cbc-md5
  #default_tkt_enctypes = aes des3-cbc-sha1 rc4 des-cbc-md5
[domain_realm]
  interpol.int = TOTO.ORG
  .interpol.int = TOTO.ORG
[logging]
  default = FILE:c:\temp\krb5\krb5kdc.log
  admin_server = FILE:c:\temp\krb5\kadmind.log
  kdc = FILE:c:\temp\krb5\krb5kdc.log
[realms]
  TOTO.ORG = {
    admin_server = dcibs11
    kdc = TOTO.ORG
  }

(I changed my company name of course)

vmurakami · ‎09-07-2018

Hello @vincent yernaux.

Right, perhaps you need to add some parameters to your kinit command, e.g.:

kinit -kt /etc/security/keytabs/nifi.service.keytab nifi/vmurakami-1@EXAMPLE.COM

So in this case, I'm getting a session with a principal called nifi/vmurakami-1 which has a keytab in the /etc/security/keytabs/

And I'd try to check the Delegation UID field from the ODBC window.

Hope this helps

v_yernaux · ‎09-20-2018

Hello,
finally, I found a way to make it work.
jdbc/hive or odbchive had the same problem: no ticket kerberos.
I tried to connect hive from windows environment (AD) and I get the message: GSS initiate failed

The solution was to execute the kinit.exe from java binary (not the one from windows nor MIT).

connexion to hive with hortonworks odbc

connexion to hive with hortonworks odbc

Re: connexion to hive with hortonworks odbc

Re: connexion to hive with hortonworks odbc

Re: connexion to hive with hortonworks odbc

Re: connexion to hive with hortonworks odbc