Configuring Hive Cloudera to use Kerberos authentication includes the following two steps:
- Configuring Hive connection in server machine
- Adding connection in ETLValidator client
Configuring Hive Cloudera Connection in ETL Validator Server
Generate Kerberos ticket :(No need to generate for option krbAuthType=1)
Generate Kerberos ticket in the machine where ETL Validator Server is installed.
To do so, run the following command:
env KRB5_CONFIG=<KRB5 config File including path> kinit –kt<Keytab File including path><Kerberos Prinicipal>
In the command above,
- KRB5 config file is the complete path to krb5 config file.
- Keytab File is the path to keytab file that will be used for authentication.
- Prinicipal is a string value used for authentication.
- Kinit is the command that can be obtained from the Kerberos Client in your machine. If you have javejdk installed in your machine, the kinit can also be found in \bin directory. Initially, try running the command directly. If it is not found, try to give complete path from Java or Kerberos Client.
If you are not sure of any of the details mentioned above, please contact your Hadoop administrator.
Configuring krb5 in java
To configure krb5 in Java, perform the following steps:
- Download unlimited strength Cryptography package from the following website: https://www.oracle.com/technetwork/java/javase/downloads/jce8-download-2133166.html
- Copy the package to the <JRE_HOME>/lib/security folder or the <JDK_HOME>/jre/lib/security folder that is being used by ETL Validator Server (tomcat).
- Place your krb5.conf file in path <App Server Context Directory>/<Parent Directory>/conf. The typical path in Tomcat 8.5 in windows is <C:\Program Files\Apache Software Foundation\Tomcat 8.5\conf>
Configuring jaas ( To generate ticket automatically )
To configure jaas , perform the following steps:
- Download the attached jaas.conf
- Change the keytab file location and principal in jaas.conf according to your environment. These are your cloudera specific.
- Place the jaas in following directory <App Server Context Directory>/<Parent Directory>/conf . The typical path in Tomcat 8.5 in windows is <C:\Program Files\Apache Software Foundation\Tomcat 8.5\conf>
Adding a Hive Cloudera Connection
To add a Hive Cloudera connection, perform the following steps:
- Start ETL Validator Client.
- Mouse hover over the
Database icon and select Hive Cloudera. - In the New Data Sourcescreen that appears, complete the following details:
- Name. Enter the connection name for the Hive Cloudera database.
- Connection URL. Enter the url to connect to the Cloudera to use Kerberos authentication. The example Url is given below:
jdbc:hive2://quickstart.cloudera:10000/default;AuthMech=1;principal=hive/quickstart.cloudera@CLOUDERA;ssl=1;KrbServiceName=hive;KrbHostFQDN=quickstart.cloudera;KrbRealm=cloudera;sslTrustStore=D:/TrustStore/jssecacerts;trustStorePassword=changeit;proxyUser=username;KrbAuthType=1
In this example, the principal hive/quickstart.cloudera@CLOUDERA is divided into 3 parts.
a) hive, b) quickstart.cloudera and c) CLOUDERA
jdbc:hive2://<Host>:10000/default;AuthMech=1;principal=<Principal>;ssl=1;KrbServiceName=hive;KrbHostFQDN=<Host or Part 2 of principal>;KrbRealm=<Part3 of principal>;sslTrustStore=<SSL Trust store Location>;trustStorePassword=<trust Store Password>;proxyUser=<Impersonate user>;KrbAuthType=1
In the above URL,
SSL=1 is used for SSL configured machine. If user environment is not configured for SSL, you can remove this property.
AuthMech=1 for Kerberos Authentication
ProxyUser is used to impersonate the user
KrbAuthType=1 means ticket will be generated automatically with given jaas.conf file.If you don't want to generate ticket automatically, no need to configure jaas.conf and also keep KrbAuthType=0.You can find more information in the following CLOUDERA JDBC URL documentation link.
Note: There is no need to provide username and password for Kerberos authentication.
For more information, refer to the pages 10 through 15 in the following document: