IBM InfoSphere BigInsights Version 3.0

Accessing Hive with Kerberos authentication

Depending on your Hive JDBC server configuration, you can access Hive with a user ID and password, or Kerberos authentication.

About this task

The Hive JDBC server is configured with user ID and password authentication if the hive.server2.authentication property is set to CUSTOM and hive.server2.custom.authentication.class is set to org.apache.hive.service.auth.WebConsoleAuthenticationProviderImpl in the hive-site.xml file. For more information, see Configuring Hive authorization and authentication.

The Hive JDBC server is configured with Kerberos authentication if the hive.server2.authentication property is set to KERBEROS in the hive-site.xml file.

Procedure

  1. To configure JDBC Clients for Kerberos Authentication with HiveServer2, they must include the principal of HiveServer2 (principal=<HiveServer2-Kerberos-Principal>) in the JDBC connection string. For example:
    String url = "jdbc:hive2://hive2_host:10000/default;principal=hive/hive2_host@YOUR-REALM.COM"
    Connection con = DriverManager.getConnection(url);
  2. The client applications (Hive beeline and JDBC Java™ client) must have a valid Kerberos ticket before you initiate a connection to HiveServer2.
    1. Access Hive from beeline.
      [example_user@host ~] $ $BIGINSIGHTS_HOME/jdk/jre/bin/kinit example_user@IBM.COM
      [example_user@host ~] $ $BIGINSIGHTS_HOME/hive/bin/beeline
      beeline> !connect jdbc:hive2://hive2_host:10000/default;principal=hive/hive2_host@YOUR-    
      REALM.COM org.apache.hive.jdbc.HiveDriver
    2. To access Hive in a Java program, a Kerberos login is needed. For a keytab login, call the Hadoop UserGroupInformation API in your Java program. For kinit login, run kinit with the client principal before you run the Java program.
      1. Set the Hadoop UserGroupInfomatino API with Kerberos authentication:
        import org.apache.hadoop.security.UserGroupInformation;
        org.apache.hadoop.conf.Configuration conf = new     
        org.apache.hadoop.conf.Configuration();
        conf.set("hadoop.security.authentication", "Kerberos");
        UserGroupInformation.setConfiguration(conf);
      2. Call the Hadoop UserGroupInfomatino API:
        Important: This step is required when you use a keytab login.
        UserGroupInformation.loginUserFromKeytab("example_user@IBM.COM", "/path/to/example_user.keytab");
      3. Access the Hive service:
        String url =  
        "jdbc:hive2://hive2_host:10000/default;principal=hive/hive2_host@YOUR-REALM.COM"
        Connection con = DriverManager.getConnection(url);
  3. For an InfoSphere® BigInsights® Eclipse tools client application:
    1. Obtain a valid Kerberos ticket before you attempt to make a connection to HiveServer2. This step can be done by running kinit from a terminal (Linux) or a command line (Windows).
      [example_user@host ~] $ $BIGINSIGHTS_HOME/jdk/jre/bin/kinit -k -t
                    /home/example_user/example_user.keytab example_user@YOUR-REALM.COM
    2. Specify the JDBC connection properties.
      1. Open the Database Development perspective, and go to the Data Source Explorer view.
      2. Right-click the Hive connection profile that you want to make a connection, and select Properties.
      3. In the Properties dialog, go to the Hive JDBC Connection Properties tab.
      4. Compress the core-site.xml file (for example, save as core-site.zip), and add the compressed file to the driver class path. For a server connection, you can find the core-site.xml file in the <workspace>/.metadata/.plugins/com.ibm.biginsights.project/locations/<hostname>/hadoop-conf/ directory.
      5. Click the plus sign next to the Drivers field near the top of dialog page to open the New Driver Definition dialog. Do not add the core-site.zip file to the default driver definition, which can also be used by other connections, because the core-site.zip file is specific to this connection.
      6. Select the driver template Hive JDBC Driver 0.12.0. Add the server name to the driver name to indicate that this driver is specific to this connection only.
      7. Click the JAR List tab and add the core-site.zip file to the list. Click OK to close the dialog.
    3. Add information about the principal to the end of the Database field.
      default;principal=hive/HiveServer2Host@YOUR-REALM.COM


Feedback