1

I wrote a Java application to connect with hive-metastore. It works fine but when I run the jar file on Linux it asks for Kerberos Username and password . I already specified the Kerberos principal and keytab file in my code. And I don't want to use additional jass.config file. Is there any way to resolve that problem?

Here is my source code

    HiveConf conf = new HiveConf();
    MetastoreConf.setVar(conf, ConfVars.THRIFT_URIS, "thrift://HOSTNAME:9083");
    MetastoreConf.setBoolVar(conf, ConfVars.USE_THRIFT_SASL, true);
    MetastoreConf.setVar(conf, ConfVars.KERBEROS_PRINCIPAL, "hive/HOSTNAME@example.com");
    MetastoreConf.setVar(conf, ConfVars.KERBEROS_KEYTAB_FILE, "hive.keytab");
    System.setProperty("java.security.krb5.realm", "EXAMPLE.COM");
    System.setProperty("java.security.krb5.kdc", "HOSTNAME");
    System.setProperty("javax.security.auth.useSubjectCredsOnly", "false");
    HiveMetaStoreClient client = new HiveMetaStoreClient(conf);
    client.close();

Expected Result- It should verify the connection successfully

Actual result-

java -jar Application

Kerberos username [root]: Kerberos password [root]:

I want to bypass this kerberos terminal prompt authentication. Is there any way to do that?

UDIT JOSHI
  • 1,298
  • 12
  • 26
  • 1
    The "principal/keytab" properties you are passing are used by the **service** to authenticate itself. The client app must have its own kerberos ticket, with its own user -- here the client lib picks up the Linux account by default. – Samson Scharfrichter Apr 24 '19 at 05:44
  • Google for a tutorial about Metastore connections with Kerberos, and/or about the `UserGroupInformation` static object (UGI) that Hadoop uses as a wrapper for Kerberos authentication. – Samson Scharfrichter Apr 24 '19 at 05:45
  • Can't we do the service and client authentication both in the same programme – UDIT JOSHI Apr 25 '19 at 04:27
  • I also tried this for client authentication UserGroupInformation.setConfiguration(conf); UserGroupInformation.loginUserFromKeytab("principal", "keytab"); but it doesn't work – UDIT JOSHI Apr 25 '19 at 04:27
  • _"it doesn't work"_ gives very little information... – Samson Scharfrichter Apr 25 '19 at 07:14
  • Caused by: javax.security.auth.login.LoginException: Cannot locate KDC at com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:804) at com.sun.security.auth.module.Krb5LoginModule.login(Krb5LoginModule.java:617) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) at – UDIT JOSHI Apr 25 '19 at 10:40
  • _"Cannot locate KDC"_ means your `/etc/krb5.conf` Kerberos config is missing, or does not cover the realm where your Principal is defined. – Samson Scharfrichter Apr 25 '19 at 12:11
  • Ah, you use that shitty property `java.security.krb5.kdc` instead of a regular Kerberos config >> good luck with that. – Samson Scharfrichter Apr 25 '19 at 12:13
  • configuration.set("java.security.krb5.conf", "/etc/krb5.conf"); still gives the same error – UDIT JOSHI Apr 26 '19 at 02:48

1 Answers1

2
          final String user = "hive/HOSTNAME@EXAMPLE.COM";
          final String keyPath = "hive.keytab";
          Configuration conf = new Configuration();
          System.out.println("In case of kerberos authentication");
          conf.set("hadoop.security.authentication", "kerberos");
          System.setProperty("java.security.krb5.kdc", "HOSTNAME");
          System.setProperty("java.security.krb5.realm", "EXAMPLE.COM");

          UserGroupInformation.setConfiguration(conf);
          UserGroupInformation.loginUserFromKeytab(user, keyPath);

          HiveConf conf1 = new HiveConf(); MetastoreConf.setVar(conf1,
          ConfVars.THRIFT_URIS, "thrift://HOSTNAME:9083"); HiveMetaStoreClient
          client = new HiveMetaStoreClient(conf1);
          client.close();

It works fine now

UDIT JOSHI
  • 1,298
  • 12
  • 26