Support Questions

Find answers, ask questions, and share your expertise
Announcements
Celebrating as our community reaches 100,000 members! Thank you!

hive principal required in hive jdbc url

avatar

In a secure cluster, we need to pass hive principal name( hive/_HOST@EXAMPLE.COM ) in the jdbc url. Why is the hive principal name required can someone please help me explaining it.

jdbc:hive2://zkhost:2181/db;serviceDiscoveryMode=zooKeeper;zooKeeperNamespace=hiveserver2;principal=hive/_HOST@EXAMPLE.COM;

documentation

https://cwiki.apache.org/confluence/display/Hive/HiveServer2+Clients#HiveServer2Clients-JDBCClientSe...

Please note, while this may not be needed for zookeeper discovery mode, if the provided jdbc is HS2 based , then hive principal is a must.

6 REPLIES 6

avatar

To configure JDBC Clients for Kerberos Authentication with HiveServer2, they must include the principal of HiveServer2. Please see:

https://www.ibm.com/support/knowledgecenter/en/SSPT3X_3.0.0/com.ibm.swg.im.infosphere.biginsights.ad...

avatar

Yes, it is a must for Kerberos Authentication but why HiveServer2 principal ? and why not any other flags like authType=kerberos ? The reason why I ask this question why are we expecting the "client" making jdbc connection to know HS2 principal name ( which HS2 is already aware since it also resides in secure cluster and would connect to kdc for login with the same principal )

avatar

The presence of hive principal in the URL basically tells the JDBC driver that the connection is made to a secure kerberos cluster. Internally then it consumes this and other connection params to create/establish a transport. In case of Dynamic discovery mode some params including this one are stored in the Zookeeper and fetched so doesn't need to be mentioned in the client connection url.

avatar

Yes, it is a must for Kerberos Authentication but why HiveServer2 principal ? and why not any other flags like authType=kerberos ? The reason why I ask this question why are we expecting the "client" making jdbc connection to know HS2 principal name ( which HS2 is already aware since it also resides in secure cluster and would connect to kdc for login with the same principal )

avatar
@Santhosh B Gowda

Here you go:), this should work.

beeline -u "jdbc:hive2://zk1:2181,zk2:2181,zk3:2181/;serviceDiscoveryMode=zooKeeper; zooKeeperNamespace=hiveserver2;principal=hive/_HOST@REALM"

avatar
@Santhosh B Gowda

This is more of a design on how JDBC client needs to be configured with the principal name of HIVESERVER2 to make sure the auth type to be Kerberos. Also, the authentication token would for the user who has valid kerberos ticket while connecting from Beeline. For example,

kinit example_user@EXAMPLE.COM

jdbc:hive2://zkhost:2181/db;serviceDiscoveryMode=zooKeeper;zooKeeperNamespace=hiveserver2;principal=hive/_HOST@EXAMPLE.COM;

In this case, the authentication against the KDC would be for user example_user and the auth header would have KERBEROS by specifying the principal of Hiveserver2.