About Steve206

Steve206 · ‎10-23-2019

Hi all, Figured it out and got it working. In addition to needing the /etc/krb5.conf I also needed the hive-site.xml and core-site.xml from the secure CDH cluster. Copied both hive-site.xml and core-site.xml to my local apache-hive-X-bin/conf/ directory. Thanks,

Steve206 · ‎10-18-2019

Hi Ganesh, I forgot to mention that my mac does have an active Kerberos ticket for my user account. Here is the output of the test. mac_laptop:opt user_name$ export KRB5_CONFIG=/etc/krb5.conf mac_laptop:opt user_name$ kdestroy mac_laptop:opt user_name$ kinit user1@CORP_DOMAIN password: mac_laptop:opt user_name$ klist Credentials cache: API:5CA7B7AE-1F94-4275-96A7-33EA33E17D38 Principal: uuser_name@CORP_DOMAIN Issued Expires Principal Oct 18 07:42:49 2019 Oct 18 17:42:43 2019 krbtgt/CORP_DOMAIN@CORP_DOMAIN mac_laptop:opt user_name$ beeline -u "jdbc:hive2://FQDN_HOSTNAME:10000/default;principal=hive/FQDN_HOSTNAME@REALM" readlink: illegal option -- f usage: readlink [-n] [file ...] scan complete in 3ms Connecting to jdbc:hive2://FQDN_HOSTNAME:10000/default;principal=hive/FQDN_HOSTNAME@REALM SLF4J: Class path contains multiple SLF4J bindings. SLF4J: Found binding in [jar:file:/Users/user_name/opt/apache-hive-1.1.0-bin/lib/hive-jdbc-1.1.0-standalone.jar!/org/slf4j/impl/StaticLoggerBinder.class] SLF4J: Found binding in [jar:file:/Users/user_name/opt/hadoop-2.6.0/share/hadoop/common/lib/slf4j-log4j12-1.7.5.jar!/org/slf4j/impl/StaticLoggerBinder.class] SLF4J: See <a href="http://www.slf4j.org/codes.html#multiple_bindings" target="_blank">http://www.slf4j.org/codes.html#multiple_bindings</a> for an explanation. SLF4J: Actual binding is of type [org.slf4j.impl.Log4jLoggerFactory] 19/10/18 07:43:05 [main]: WARN util.NativeCodeLoader: Unable to load native-hadoop library for your platform... using builtin-java classes where applicable Error: Could not open client transport with JDBC Uri: jdbc:hive2://FQDN_HOSTNAME:10000/default;principal=hive/FQDN_HOSTNAME@REALM: java.net.ConnectException: Connection refused (Connection refused) (state=08S01,code=0) Beeline version 1.1.0 by Apache Hive 0: jdbc:hive2://FQDN_HOSTNAME:10000 (closed)> Don't Know if this is important, but the CDH cluster is using a MIT KDC and our user accounts are in the corporate domain using Active Directory. We have a one-way trust established. I'm able to connect with Beeline from a CDH cluster node. When connecting with Beeline I can connect with a Kerberos ticket from the MIT KDC and from the corporate Active Directory. I'm using the same Active Directory user account to test connecting from my mac that I've successfully connected through beeline on a CDH cluster node. Thank you for the help!

Steve206 · ‎10-17-2019

Hello, My goal is provide documentation on remote access to Hive and we primarily use Mac in our department. I was able to install beeline based on the following blog, link I know beeline is working correctly as I’m able to connect to small CDH 5.14.2 cluster that does not have Kerberos or TLS enabled. When connecting to our Kerberos and TLS enable cluster, I get the following error message: readlink: illegal option -- f usage: readlink [-n] [file ...] scan complete in 2ms Connecting to jdbc:hive2://FQDN.HOST:10000/default;principal=hive/FQDN_HOSTNAME@REALM SLF4J: Class path contains multiple SLF4J bindings. SLF4J: Found binding in [jar:file:/Users/user_name/opt/apache-hive-1.1.0-bin/lib/hive-jdbc-1.1.0-standalone.jar!/org/slf4j/impl/StaticLoggerBinder.class] SLF4J: Found binding in [jar:file:/Users/user_name/opt/hadoop-2.6.0/share/hadoop/common/lib/slf4j-log4j12-1.7.5.jar!/org/slf4j/impl/StaticLoggerBinder.class] SLF4J: See <a href="<a href="http://www.slf4j.org/codes.html#multiple_bindings" target="_blank">http://www.slf4j.org/codes.html#multiple_bindings</a>" target="_blank"><a href="http://www.slf4j.org/codes.html#multiple_bindings</a" target="_blank">http://www.slf4j.org/codes.html#multiple_bindings</a</a>> for an explanation. SLF4J: Actual binding is of type [org.slf4j.impl.Log4jLoggerFactory] 19/10/17 17:06:47 [main]: WARN util.NativeCodeLoader: Unable to load native-hadoop library for your platform... using builtin-java classes where applicable Can't get Kerberos realm Beeline version 1.1.0 by Apache Hive 0: jdbc:hive2://FQDN.HOST:10000 (closed)> I copied over the /etc/krb5.conf from a data node to my mac and got a different error message: Connecting to jdbc:hive2://FQDN_HOSTNAME:10000/default;principal=hive/ FQDN_HOSTNAME@REALM SLF4J: Class path contains multiple SLF4J bindings. SLF4J: Found binding in [jar:file:/Users/user_name/opt/apache-hive-1.1.0-bin/lib/hive-jdbc-1.1.0-standalone.jar!/org/slf4j/impl/StaticLoggerBinder.class] SLF4J: Found binding in [jar:file:/Users/user_name/opt/hadoop-2.6.0/share/hadoop/common/lib/slf4j-log4j12-1.7.5.jar!/org/slf4j/impl/StaticLoggerBinder.class] SLF4J: See <a href="<a href="http://www.slf4j.org/codes.html#multiple_bindings" target="_blank">http://www.slf4j.org/codes.html#multiple_bindings</a>" target="_blank"><a href="http://www.slf4j.org/codes.html#multiple_bindings</a" target="_blank">http://www.slf4j.org/codes.html#multiple_bindings</a</a>> for an explanation. SLF4J: Actual binding is of type [org.slf4j.impl.Log4jLoggerFactory] 19/10/17 20:47:59 [main]: WARN util.NativeCodeLoader: Unable to load native-hadoop library for your platform... using builtin-java classes where applicable Error: Could not open client transport with JDBC Uri: jdbc:hive2://FQDN_HOSTNAME:10000/default;principal=hive/FQDN_HOSTNAME@REALM: java.net.ConnectException: Connection refused (Connection refused) (state=08S01,code=0) Beeline version 1.1.0 by Apache Hive 0: jdbc:hive2://FQDN_HOSTNAME:10000 (closed)> 0: jdbc:hive2://FQDN_HOSTNAME:10000 (closed)> show databases; 19/10/17 20:48:31 [main]: ERROR transport.TSaslTransport: SASL negotiation failure javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level: Failed to find any Kerberos tgt)] Thank you for your time,

Steve206 · ‎06-13-2019

Hi Eric, The user= and password= parameters worked once I put the connection string in single quotes ' '. This is an example of what worked. [user@serverHostName ~]$ beeline -u 'jdbc:hive2://serverFQDN:10000/demo;ssl=true;sslTrustStore=/opt/jdk/hive.truststore.jks;trustStorePassword=trustPassword;user=testUser;password=testUserPassword' Double qoutes should work too. Thanks for the help!

Steve206 · ‎06-13-2019

Hi Eric, Thanks for the suggestion, but it didn't work. Below is output from trying and it shows that I'm able to login when prompted. [user@serverHostName ~]$ beeline -u jdbc:hive2://serverFQDN:10000/demo;ssl=true;sslTrustStore=/opt/jdk/hive.truststore.jks;trustStorePassword=trustPassword;user=testUser;password=testUserPassword scan complete in 2ms Connecting to jdbc:hive2://serverFQDN:10000/demo Unknown HS2 problem when communicating with Thrift server. Error: Could not open client transport with JDBC Uri: jdbc:hive2://serverFQDN:10000/demo: Invalid status 21 (state=08S01,code=0) Beeline version 1.1.0-cdh5.14.4 by Apache Hive beeline> !connect jdbc:hive2://serverFQDN:10000/demo;ssl=true;sslTrustStore=/opt/jdk/hive.truststore.jks;trustStorePassword=trustPassword Connecting to jdbc:hive2://serverFQDN:10000/demo;ssl=true;sslTrustStore=/opt/jdk/hive.truststore.jks;trustStorePassword=trustPassword Enter username for jdbc:hive2://serverFQDN:10000/demo;ssl=true;sslTrustStore=/opt/jdk/hive.truststore.jks;trustStorePassword=trustPassword: test_user Enter password for jdbc:hive2://serverFQDN:10000/demo;ssl=true;sslTrustStore=/opt/jdk/hive.truststore.jks;trustStorePassword=trustPassword: **************** Connected to: Apache Hive (version 1.1.0-cdh5.14.4) Driver: Hive JDBC (version 1.1.0-cdh5.14.4) Transaction isolation: TRANSACTION_REPEATABLE_READ 0: jdbc:hive2://serverFQDN:10000/demo> show databases; INFO : Compiling command(queryId=hive_20190613081212_d18016a9-24a0-48b4-9023-783382566773): show databases INFO : Semantic Analysis Completed INFO : Returning Hive schema: Schema(fieldSchemas:[FieldSchema(name:database_name, type:string, comment:from deserializer)], properties:null) INFO : Completed compiling command(queryId=hive_20190613081212_d18016a9-24a0-48b4-9023-783382566773); Time taken: 0.669 seconds INFO : Concurrency mode is disabled, not creating a lock manager INFO : Executing command(queryId=hive_20190613081212_d18016a9-24a0-48b4-9023-783382566773): show databases INFO : Starting task [Stage-0:DDL] in serial mode INFO : Completed executing command(queryId=hive_20190613081212_d18016a9-24a0-48b4-9023-783382566773); Time taken: 0.299 seconds INFO : OK +----------------+--+ | database_name | +----------------+--+ | default | | demo | +----------------+--+ 2 rows selected (1.419 seconds) 0: jdbc:hive2://serverFQDN:10000/demo>

Steve206 · ‎06-11-2019

Hello everyone, I’m newer to Hive so I’m assuming that I’m doing something wrong. I’ve configured Hive to require LDAP BasedDN authentication (not AD) and configured TLS for HiveServer2. With beeline I’m able to authenticate with an interactive user prompt. For example: beeline> !connect jdbc:hive2://<serverName>:10000/default;ssl=true;sslTrustStore=<trustStorePath>.jks;trustStorePassword=<trustStorePassword> Login with username and password: Enter username for jdbc:hive2://… Enter password for jdbc:hive2://… What I would like to do is connect with username/password in the connection string. I see example to configure the connection string with TLS or username/password, but haven’t been able find an example of both. I’ve attempted combining settings and I’m doing something wrong. This is an example of what I've attempted: beeline -u jdbc:hive2://<serverName>:10000/default;ssl=true;sslTrustStore=<truststorePath>.jks;trustStorePassword=<trustStorePassword> -n User -w /home/User/passwordFile.txt or beeline -u jdbc:hive2://<serverName>:10000/default;ssl=true;sslTrustStore=<truststorePath>.jks;trustStorePassword=<trustStorePassword> -n User -p userPassword Thanks for the help,

Steve206 · ‎03-07-2019

Thank you for the confirmation. Yes, I'll make a feature request.

Steve206 · ‎03-07-2019

Thanks for the quick response. I'll look at enabling LDAPS before writing anything custom. I was being optimistic with only wanting to support StartTLS on OpenLDAP but we'll most likely come across another application at some point that only works with LDAPS.

Steve206 · ‎03-04-2019

Hi all, Currently using CDH 5.14.4 and looking to enable user authention on HiveServer2 using OpenLDAP. The two connection options I'm seeing are LDAP and LDAPS, but we currently don't have LDAPS configured with our OpenLDAP server. Hue supports LDAP with StartTLS so I figured Hive would too. I'm wondering if StartTLS is an option that I'm not finding documentation for or if its not supported. Thanks for your help!

Online	Offline
Last Visited	‎05-17-2023 02:14 PM

Member Since	‎04-18-2016 09:51 AM
Last Visited	‎05-17-2023 02:14 PM
Posts	11
Kudos received	1

Cloudera Community

Re: Remote beeline client from Mac to a secure CDH...

Re: Remote beeline client from Mac to a secure CDH...

Re: Remote beeline client from Mac to a secure CDH...

Remote beeline client from Mac to a secure CDH 5.1...

Re: Beeline TLS connection string with username an...

Re: Beeline TLS connection string with username an...

Beeline TLS connection string with username and pa...

Re: HiveServer2, is StartTLS an option for user au...

Re: HiveServer2, is StartTLS an option for user au...

HiveServer2, is StartTLS an option for user authen...