String driverName = "com.cloudera.hive.jdbc4.HS2Driver";
conf.set("hadoop.security.authentication", "kerberos");
info("Getting Connection");
UserGroupInformation.setConfiguration(conf);
info("Getting Connection"); `info("Getting Connection");
UserGroupInformation.setConfiguration(conf);
UserGroupInformation.loginUserFromKeytab("****@***.***.COM","etc/****.keytab");
Class.forName(driverName); info("Getting Connection");
Connection con = DriverManager.getConnection("jdbc:hive2://localhost:10000;AuthMech=1;KrbRealm=EXAMPLE.COM;KrbHostFQDN=hs2.example.com;KrbServiceName=hive");
info("Got Connection");
18:47:51,894 ERROR [1] Error in section Run at line unknown. An unexpected exception occurred in the script. Script section: Run. Caused by: LoginException occured. Unable to obtain Princpal Name for authentication
java.sql.SQLException: [Simba][HiveJDBCDriver](500164) Error initialized or created transport for authentication: CONN_KERBEROS_AUTHENTICATION_ERROR_GET_TICKETCACHE.
at com.cloudera.hive.hivecommon.api.HiveServer2ClientFactory.createTransport(Unknown Source)
at com.cloudera.hive.hive.api.ExtendedHS2Factory.createClient(Unknown Source)
at com.cloudera.hive.hivecommon.core.HiveJDBCConnection.connect(Unknown Source)
at com.cloudera.hive.jdbc.common.BaseConnectionFactory.doConnect(Unknown Source)
at com.cloudera.hive.jdbc.common.AbstractDriver.connect(Unknown Source)
at java.sql.DriverManager.getConnection(DriverManager.java:582)
at java.sql.DriverManager.getConnection(DriverManager.java:207)
at script.run(script.java:85)
at oracle.oats.scripting.modules.basic.api.IteratingVUser.run(IteratingVUser.java:351)
at oracle.oats.scripting.modules.basic.api.internal.IteratingAgent.run(IteratingAgent.java:801)
Caused by: com.cloudera.hive.support.exceptions.GeneralException: [Simba][HiveJDBCDriver](500164) Error initialized or created transport for authentication: CONN_KERBEROS_AUTHENTICATION_ERROR_GET_TICKETCACHE.
... 10 more
Caused by: com.cloudera.hive.support.exceptions.GeneralException: CONN_KERBEROS_AUTHENTICATION_ERROR_GET_TICKETCACHE
... 10 more
Caused by: javax.security.auth.login.LoginException: Unable to obtain Princpal Name for authentication
at com.sun.security.auth.module.Krb5LoginModule.promptForName(Krb5LoginModule.java:733)
at com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:629)
at com.sun.security.auth.module.Krb5LoginModule.login(Krb5LoginModule.java:542)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)
at javax.security.auth.login.LoginContext.invoke(LoginContext.java:769)
at javax.security.auth.login.LoginContext.access$000(LoginContext.java:186)
at javax.security.auth.login.LoginContext$5.run(LoginContext.java:706)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.login.LoginContext.invokeCreatorPriv(LoginContext.java:703)
at javax.security.auth.login.LoginContext.login(LoginContext.java:575)
at com.cloudera.hive.jdbc.kerberos.Kerberos.getSubjectViaTicketCache(Unknown Source)
at com.cloudera.hive.hivecommon.api.HiveServer2ClientFactory.createTransport(Unknown Source)
at com.cloudera.hive.hive.api.ExtendedHS2Factory.createClient(Unknown Source)
at com.cloudera.hive.hivecommon.core.HiveJDBCConnection.connect(Unknown Source)
at com.cloudera.hive.jdbc.common.BaseConnectionFactory.doConnect(Unknown Source)
at com.cloudera.hive.jdbc.common.AbstractDriver.connect(Unknown Source)
at java.sql.DriverManager.getConnection(DriverManager.java:582)
at java.sql.DriverManager.getConnection(DriverManager.java:207)
at script.run(script.java:85)
at oracle.oats.scripting.modules.basic.api.IteratingVUser.run(IteratingVUser.java:351)
at oracle.oats.scripting.modules.basic.api.internal.IteratingAgent.run(IteratingAgent.java:801)
at java.lang.Thread.run(Thread.java:619)
最佳答案
Hive JDBC 驱动程序不使用 Hadoop Auth 库,因为它们应该能够从集群外部进行连接,并且对 Hadoop 库的依赖性最小。
因此,实际上,您的 UGI 设置将被忽略。
但是 Hive JDBC 驱动程序使用 Thrift 客户端库,该库支持Kerberos 身份验证的原始 JAAS 配置。
在命令行上使用系统属性的示例:
java -Djava.security.krb5.conf=/etc/krb5.conf \
-Djava.security.auth.login.config=./my_jaas.conf \
*****
使用 key 表文件中提供的密码获取私有(private) Kerberos 票证(不从缓存读取,不写入缓存)的示例“my_jaas.conf”:
com.sun.security.jgss.krb5.initiate {
com.sun.security.auth.module.Krb5LoginModule
required
useTicketCache=false
doNotPrompt=true
useKeyTab=true
keyTab="file:/some/path/to/my_login.keytab"
principal="<a href="https://stackoverflow.com/cdn-cgi/l/email-protection" class="__cf_email__" data-cfemail="91fce8cefdfef6f8ffd1dcc8bfc3d4d0dddc" rel="noreferrer noopener nofollow">[email protected]</a>"
debug=true;
};
请注意the syntax above适用于 Sun/Oracle JDK 和 OpenJDK,但不适用于使用不同语法的 IBM JDK...
它也不适用于 DataDirect 连接器(随 Oracle、IBM、Microstrategy 等提供),该连接器需要 session 中的特定“主题”。
就是这样。当 JDBC 驱动程序检测到 URL 请求 Kerberos 连接时,它会自动调用 JAAS,JAAS 将处理这些脏活。
PS:调试安全配置问题很麻烦,但是您有几个属性可以启用调试跟踪:
-Dsun.security.krb5.debug=true
-Djava.security.debug=gssloginconfig,configfile,configparser,logincontext
关于jdbc - 无法使用 protected kerberos 连接到 HIVE。我正在使用 UserGroupInformation.loginUserFromKeytab(),我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/38768664/