If the Hive wikidocs need improvement, please let me know what to change (or do it yourself if you have edit access). Thanks.
-- Lefty On Thu, Feb 13, 2014 at 9:52 AM, Prasad Mujumdar <pras...@cloudera.com>wrote: > > On the client side, you need to run kinit manually. Beeline doesn't > support getting TGT programatically. You should ideally have a different > userid for the client side. Also the hive command line tool (invoked > directly as 'hive') is an embedded client that doesn't communicate with > HiveServer2. You should always use beeline shell as client for HiveServer2. > For example, the steps could be - > 1) Add service principal and keytab in hive-site.xml, set authentication > to KERBEROS. > 2) Start HiveServer2 > 3) On client side, kinit user1 > 4) run beeline > 5) !connect jdbc:hive2://pg-server.foobar.com:10000/default;principal= > hive/pg-server.foobar....@foobar.com > > thanks > Prasad > > > > On Wed, Feb 12, 2014 at 8:18 AM, Anilkumar Kalshetti < > anilkalshe...@gmail.com> wrote: > >> Hello Sir, >> >> Thanks for the reply, >> >> I want to configure Hive using kerberos authentication, and connect hive >> with third party db tool,using hive service principal name. >> >> I am getting problem, while starting Hiveserver2, [Principal name and >> Keytab file path is properly set in hive-default.xml file] >> It shows message as >> >> ERROR transport.TSaslTransport: SASL negotiation failure >> >> javax.security.sasl.SaslException: GSS initiate failed [Caused by >> GSSException: No valid credentials provided (Mechanism level: Failed to >> find any Kerberos tgt)] >> >> at >> com.sun.security.sasl.gsskerb.GssKrb5Client.evaluateChallenge(GssKrb5Client.java:212) >> >> at >> org.apache.thrift.transport.TSaslClientTransport.handleSaslStartMessage(TSaslClientTransport.java:94) >> >> >> I guess, first I need to generate the TGT ticket, then I should start the >> hiveserver2 >> >> As TGT ticket is not generated, this error message is shown. >> >> before starting the server, TGT tickets should be generated. >> >> a] >> >> In PostgreSQL database >> >> >./psql -h pg-server.foobar.com template1 frank >> >> running above command, generates TGT ticket for postgres service >> principal. >> >> b] >> >> In Hive, after executing the command >> >> >./hive -h pg-server.foobar.com default frank >> >> this command starts hiveserver in No Authentication mode, but doesn't >> generate any TGT ticket >> >> >> Finding the proper command that generates the TGT ticket for Hive service >> principal will be the solution. >> >> This type of command is not mentioned anywhere in cloudera documents. >> >> >> Hive service principal : hive/pg-server.foobar....@foobar.com >> >> *As per your suggestion*, I run the below kinit command, but it doesn't >> generated any TGT Ticket >> >> [postgres@pg-server bin]$ *kinit -kt >> '/home/postgres/keytabs/hive.keytab' hive/pg-server.foobar....@foobar.com >> <pg-server.foobar....@foobar.com>* >> >> [postgres@pg-server bin]$ *klist* >> Ticket cache: FILE:/tmp/krb5cc_501 >> Default principal: hive/pg-server.foobar....@foobar.com >> >> Valid starting Expires Service principal >> 02/12/14 21:29:51 02/13/14 21:29:51 krbtgt/foobar....@foobar.com >> renew until 02/12/14 21:29:51 >> >> *I am expecting, hive service principal will be listed running klist, but >> its not there.* >> >> >> Hive service principal : hive/pg-server.foobar....@foobar.com >> >> >> >> PFA for the hive-default.xml file and TerminalExceptionLog details. >> >> >> >> *If anything is wrong in above steps followed by me, will you please >> share the detailed steps document[containing all small steps from start to >> end] for configuring hive server using kerberos authentication.* >> >> *That will be really very helpful.* >> >> >> Thanks & Regards, >> >> Anil >> >> >> >> >> On 11 February 2014 23:27, Prasad Mujumdar <pras...@cloudera.com> wrote: >> >>> >>> If you are talking about embedded Hive client (CLI), then all you >>> need is to have a TGT in the ticket cache (ie run kinit before invoking >>> Hive). The underlying hadoop client handles communication with secure >>> Hadoop services. As long as the Hadoop related security configuration is >>> place, there's no other Hive specific setup required. >>> >>> If you are setting up secure HiveServer2, please refer to server >>> <https://cwiki.apache.org/confluence/display/Hive/Setting+up+HiveServer2>and >>> client >>> <https://cwiki.apache.org/confluence/display/Hive/HiveServer2+Clients#HiveServer2Clients-JDBCClientSetupforaSecureCluster>configuration >>> details are on Hive wiki. >>> >>> thanks >>> Prasad >>> >>> >>> >>> On Tue, Feb 11, 2014 at 2:31 AM, Anilkumar Kalshetti < >>> anilkalshe...@gmail.com> wrote: >>> >>>> Hello, >>>> >>>> Has anyone implemented Kerberos authentication for Apache Hive? >>>> >>>> Kerberos authentication for Hadoop is documented very well, and I am >>>> able to do it. >>>> Connecting databases like MongoDb, PostgreSQL using kerberos auth. is >>>> quite straight-forward, >>>> But there are missing links in documentation, which makes things >>>> difficult for configuring apache hive using Kerberos authentication. >>>> >>>> Please reply, If someone has done this. >>>> >>>> Thanks >>>> >>> >>> >> >
