Kerberos Authentication


Important note: our Kerberos support uses a 3rd-party library to provide cross-platform kerberos authentication using GSSAPI on Linux/Mac, and SSPI on Windows.   For Linux and Mac, there are pre-requisites, respectively,

for Linux:

  • python v2.7
  • make
  • A proper C/C++ compiler toolchain, like GCC
  • Distribution-specific kerberos packages (e.g. krb5-dev on Ubuntu)

and for Mac:

  • Xcode Command Line Tools: Can be installed with xcode-select --install
  • Distribution-specific kerberos packages (e.g. krb5 on Homebrew)


If issues are encountered, it is generally a good idea to validate first that the whole environment has been set up correctly by connecting with Beeline.  It may be required to obtain a valid Kerberos ticket before you attempt a connection to HiveServer2.  This step can be done by running kinit from a terminal (Linux/mac) or a command line (Windows):

[example_user@host ~] $ $BIGINSIGHTS_HOME/jdk/jre/bin/kinit -k -t /home/example_user/example_user.keytab example_user@YOUR-REALM.COM


Hackolade can connect via Kerberos authentication only through “binary” transport mode and with Quality of Protection (QOP) values: “auth”, "auth-int", or "auth-conf", as per RFC 1964 section 4.2.


The Kerberos configuration in hive-site.xml must include these properties:

<property>

  <name>hive.metastore.sasl.enabled</name>

  <value>true</value>

  <description>If true, the metastore Thrift interface will be secured with SASL. Clients must authenticate with Kerberos.</description>

</property>

<property>

<name>hive.server2.authentication</name>

<value>KERBEROS</value>

</property>

<property>

<name>hive.server2.thrift.sasl.qop</name>

<value>auth</value>

<description>value could be also auth-int or auth-conf</description>

</property>

<property>

<name>hive.server2.authentication.kerberos.principal</name>

<value>KERBEROS_SERVICE_PRINCIPAL</value>

<description>the format of the service principal is service/<fully qualified domain name of instance>@<REALM></description>

</property>

<property>

<name>hive.server2.authentication.kerberos.keytab</name>

<value>KERBEROS_KEYTAB</value>

<description>keytab looks like /etc/hive/conf/hive.keytab</description>

</property>


Where:

- KERBEROS_SERVICE_NAME is the kerberos service principal of the Hive instance (format. <service>/<instance>@REALM)

- KERBEROS_KEYTAB - is the keytab file for kerberos principal


The corresponding settings in Hackolade would be:



User name: don't forget to to put the username in UPPERCASE, and to reference the REALM.  IN Windows, the username might be your Windows login.

Service name: enter the service name as provided by the administrator.  

Kerberos host: enter the FQDN or "fully qualified domain name"



The krb5 library uses MIT Kerberos software. To make it work you should setup kerberos client, to do this create krb5.conf and create environment variable KRB5_CONFIG with path to the krb5.conf. After this, restart the PC. If MIT Kerberos is able to retrieve a ticket, then Hackolade should as well.


Currently, krb5 library with keytab is used only in HTTP mode to retrieve SPNEGO token.