0

We have a HDP (3.1.0) cluster with Hive (3.0.0.3.1). The cluster is Kerberised;

I am trying to connect to Hive with DBVisualizer, without success. The client (where I am using DBVisualizer from) is a Centos 7 Machine.

Kerberos related

On the client, here is the /etc/krb5.conf (copy/paste from one of the cluster's machine):

cat krb5.conf

[libdefaults]
  renew_lifetime = 7d
  forwardable = true
  default_realm = COMPANY.LOC
  ticket_lifetime = 24h
  dns_lookup_realm = false
  dns_lookup_kdc = false
  default_ccache_name = /tmp/krb5cc_%{uid}
  #default_tgs_enctypes = aes des3-cbc-sha1 rc4 des-cbc-md5
  #default_tkt_enctypes = aes des3-cbc-sha1 rc4 des-cbc-md5

[domain_realm]
  COMPANY.LOC = COMPANY.LOC

[logging]
  default = FILE:/var/log/krb5kdc.log
  admin_server = FILE:/var/log/kadmind.log
  kdc = FILE:/var/log/krb5kdc.log

[realms]
  COMPANY.LOC = {
    admin_server = server.company.loc
    kdc = server.company.loc
  }

I used kinit and here is the result of klist:

[florianc@localhost etc]$ klist
Ticket cache: FILE:/tmp/krb5cc_1000
Default principal: castelainf@COMPANY.LOC

Valid starting       Expires              Service principal
07/24/2020 09:12:03  07/24/2020 19:12:03  krbtgt/COMPANY.LOC@COMPANY.LOC
    renew until 07/31/2020 09:11:59

DbVisualizer

Version: 11.0.4 (free)

Tools>Tool Properties>Specify overridden Java VM Properties here:

-Dsun.security.krb5.debug=true
-Djavax.security.auth.useSubjectCredsOnly=false
-Djava.security.krb5.conf="/etc/krb5.conf"

The JAR used for the driver is the one provided by the cluster in Ambari>Hive>JDBC Standalone jar

The database URL of the connection is:

jdbc:hive2://server1.company.loc:2181,server2.company.loc:2181,server3.company.loc:2181/;serviceDiscoveryMode=zooKeeper;zooKeeperNamespace=hiveserver2;principal=hive/_HOST@COMPANY.LOC

The error returned when trying to connect is the following:

Could not open client transport for any of the Server URI's in ZooKeeper: Can't get Kerberos realm

Edit 1

Using these URIs:

jdbc:hive2://server1.company.loc:2181/;principal=hive/_HOST@COMPANY.LO
jdbc:hive2://server1.company.loc:2181/;principal=hive/server1@COMPANY.LOC
jdbc:hive2://server1.company.loc:2181/;principal=hive/server1.company.loc@COMPANY.LOC

Always return:

Could not open client transport with JDBC Uri <URI>: Can't get Kerberos realm
Itération 122442
  • 2,644
  • 2
  • 27
  • 73
  • On the client, change to *dns_lookup_realm = true* and *dns_lookup_kdc = true* inside /etc/krb5.conf, and re-start DBVizualizer. – T-Heron Jul 24 '20 at 11:58
  • @T-Heron Unfortunately, the result is the very same with your recommendations. – Itération 122442 Jul 24 '20 at 12:09
  • Can you connect directly to one of the HS2 instances, without going through ZooKeeper (which is a nightmare to troubleshoot)? At least you would get error messages a little bit more significant. – Samson Scharfrichter Jul 24 '20 at 12:27
  • Under `[domain_realm]` it is common to see `company.loc = COMPANY.LOC` with the network domain in **lowercase** -- plus an entry with `.company.loc = COMPANY.LOC` (I guess there is a reason for that) – Samson Scharfrichter Jul 24 '20 at 12:29
  • @SamsonScharfrichter Hi. I have edited the question to answer your recommendation about not using zookeeper. Concerning the krb5.conf, the file I have is the one located on one of the machine of the cluster. I'm not very familiar with Kerberos, but am I not suppose to leave it as is ? – Itération 122442 Jul 24 '20 at 14:40
  • Since you already have `java.security.krb5.conf` property that makes it possible for you to **test changes in a custom copy of `krb5.conf`**, why don't you just make some tests? Il te faut une autorisation de ta hiérarchie ?!? :-0 – Samson Scharfrichter Jul 26 '20 at 21:35
  • @SamsonScharfrichter I can change the file on client side, but I have no right on server sides. Also, why would it work with the other machines and not on this one ? – Itération 122442 Jul 27 '20 at 06:14
  • _" why would it work with the other machines and not on this one"_ > does DBVis work on other machines? or is it rather "why does it work with the **C implementation** of Kerberos (e.g. `kinit`) and not with the **Java implementation** that your SysAdmins probably never tested on any server outside of Hadoop nodes? – Samson Scharfrichter Jul 27 '20 at 16:55
  • _"I have no right on server sides"_ > that's the point of `java.security.krb5.conf` -- being able to point to a custom file. Using it to point to the hard-coded Linux default, like you do, is useless. – Samson Scharfrichter Jul 27 '20 at 16:58
  • @SamsonScharfrichter The other machines are GUI-less. So no DbVis there. Moreover, the krb5.conf I use is not the default one, it is the one I copy pasted from the cluster nodes. – Itération 122442 Jul 28 '20 at 06:05
  • Woosp: to be more specific: The machine of the cluster are GUI-less. Concerning DbVis, I tested on other machines with colleagues, same problem. – Itération 122442 Jul 28 '20 at 06:07
  • And you refuse to make tests on `[domain_realm]` settings because...? – Samson Scharfrichter Jul 28 '20 at 16:30
  • @SamsonScharfrichter Never refused (unless we have a different dictionary...). Only asking questions... – Itération 122442 Jul 29 '20 at 06:07

0 Answers0