Kerberos

Kerberos Authentication

 

Important note: our Kerberos support uses a 3rd-party library to provide cross-platform kerberos authentication using GSSAPI on Linux/Mac, and SSPI on Windows.   For Linux, Windows, and Mac, there are pre-requisites, respectively, 

for Linux:

• python v2.7
• make
• A proper C/C++ compiler toolchain, like GCC
• Distribution-specific kerberos packages (e.g. krb5-dev on Ubuntu)

for Mac:

• Xcode Command Line Tools: Can be installed with xcode-select --install
• Distribution-specific kerberos packages (e.g. krb5 on Homebrew)

 

If issues are encountered, it is generally a good idea to validate first that the whole environment has been set up correctly by connecting with Beeline.  It may be required to obtain a valid Kerberos ticket before you attempt a connection to HiveServer2.  This step can be done by running kinit from a terminal (Linux/mac) or a command line (Windows): 

[example_user@host ~] $ $BIGINSIGHTS_HOME/jdk/jre/bin/kinit -k -t /home/example_user/example_user.keytab example_user@YOUR-REALM.COM

 

For Windows:

* Download MIT Kerberos for Windows 4.1 from this page.

* Launch the installation wizard

* Accept the License agreement

* Chose Setup Type '''Custom''' as by default the installer doesn't install the components we need.

* In the Custom Setup customization screen, expand the tree by clicking on Kerberos for Windows.  You should see a red cross in front on SDK line.  Click on the red cross box icon and select the option '''Will be installed on local hard drive'''.

* Proceed with the installation

 

Alternatively you can also install this third party library using the [Chocolatey package manager](https://chocolatey.org) and the following command line in a PowerShell window:

choco install mitkerberos --install-arguments="ADDLOCAL=all"

 

 

Hackolade can connect via Kerberos authentication only through “binary” transport mode and with Quality of Protection (QOP) values: “auth”, "auth-int", or "auth-conf", as per RFC 1964 section 4.2. 

 

The Kerberos configuration in hive-site.xml must include these properties:

<property>

  <name>hive.metastore.sasl.enabled</name>

  <value>true</value>

  <description>If true, the metastore Thrift interface will be secured with SASL. Clients must authenticate with Kerberos.</description>

</property>

<property>

<name>hive.server2.authentication</name>

<value>KERBEROS</value>

</property>

<property>

<name>hive.server2.thrift.sasl.qop</name>

<value>auth</value>

<description>value could be also auth-int or auth-conf</description>

</property>

<property>

<name>hive.server2.authentication.kerberos.principal</name>

<value>KERBEROS_SERVICE_PRINCIPAL</value>

<description>the format of the service principal is service/<fully qualified domain name of instance>@<REALM></description>

</property>

<property>

<name>hive.server2.authentication.kerberos.keytab</name>

<value>KERBEROS_KEYTAB</value>

<description>keytab looks like /etc/hive/conf/hive.keytab</description>

</property>

 

Where:

- KERBEROS_SERVICE_NAME is the kerberos service principal of the Hive instance (format. <service>/<instance>@REALM) 

- KERBEROS_KEYTAB - is the keytab file for kerberos principal

 

The corresponding settings in Hackolade would be:

 

 

User name: don't forget to to put the username in UPPERCASE, and to reference the REALM.  IN Windows, the username might be your Windows login.

Service name: enter the service name as provided by the administrator.  

Kerberos host: enter the FQDN or "fully qualified domain name"

 

 

The krb5 library uses MIT Kerberos software. To make it work you should setup kerberos client, to do this create krb5.conf and create environment variable KRB5_CONFIG with path to the krb5.conf. After this, restart the PC. If MIT Kerberos is able to retrieve a ticket, then Hackolade should as well.

 

Currently, krb5 library with keytab is used only in HTTP mode to retrieve SPNEGO token.