使用带kerberos密钥表的jdbc访问配置单元Metastore [英] Accessing hive metastore using jdbc with kerberos keytab
问题描述
我试图连接到配置为使用Kerberos进行身份验证的配置单元Metastore。当我不想使用keytab文件时,即在程序在身份验证过程中提示我输入密码时,这适用于我。当我将配置更改为使用密钥表时,我得到一个长的堆栈跟踪,其中包含以下语句:
需要额外的预认证(25) - 需要使用PA-ENC-TIMESTAMP / PA-PK-AS-REQ
可以任何人对我所做的错误都给出了任何建议?
我的问题的上下文(如果相关的话)是我想从mapreduce作业访问配置单元Metastore ,当然,mapreduce作业无法回答提示。
我的程序如下所示:
package com.test;
import java.sql.Connection;
import java.sql.DriverManager;
import java.sql.ResultSet;
import java.sql.Statement;
public class HiveJDBC {
public static void main(String [] args)throws Exception {
Class.forName(org.apache。 hive.jdbc.HiveDriver);
System.setProperty(java.security.auth.login.config,gss-jaas.conf);
System.setProperty(sun.security.jgss.debug,true);
System.setProperty(javax.security.auth.useSubjectCredsOnly,false);
System.setProperty(java.security.krb5.conf,krb5.conf);
Connection con = DriverManager.getConnection(jdbc:hive2://some.machine:10000 / default; principal=hive/some.machine@MY_REALM);
//做连接
}
}
我的gss-jaas.conf文件如下所示:
com.sun.security.jgss.initiate {
com.sun.security.auth.module.Krb5LoginModule需要
useKeyTab = true
useTicketCache = false
principal =my-account @ MY_REALM
doNotPrompt = true
keyTab =path-to-my-keytab-file
debug = true;
};
我的krb5.conf文件看起来像这样
[libdefaults]
default_realm = MY_REALM
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
renew_lifetime = 7d
[realms]
MY_REALM = {
kdc = some.host:88
admin_server = another.host
}
我使用以下命令使用ktutil程序生成的keytab文件
ktutil:addent -password -p username @ MY_REALM -k 1 -e aes256-cts
<显然,这个错误是由于在发出ktutil命令时使用错误的加密类型造成的。切换到正确的加密(我不会提及我们使用的)解决了这个问题。
I am trying to connect to a hive metastore that has been configured to use Kerberos for authentication. This works for me when I am not trying to use a keytab file, i.e. when the program prompts me for my password during the authentication process. When I change the configuration to use a keytab I get a long stacktrace containing among other things this statement:
Additional pre-authentication required (25) - Need to use PA-ENC-TIMESTAMP/PA-PK-AS-REQ
Can anyone give any advice on what I am doing wrong?
The context of my problem, if that is relevant, is that I want to access the hive metastore from a mapreduce job, and of course, a mapreduce job cannot answer to prompts.
My program looks like this:
package com.test;
import java.sql.Connection;
import java.sql.DriverManager;
import java.sql.ResultSet;
import java.sql.Statement;
public class HiveJDBC {
public static void main(String[] args) throws Exception {
Class.forName("org.apache.hive.jdbc.HiveDriver");
System.setProperty("java.security.auth.login.config","gss-jaas.conf");
System.setProperty("sun.security.jgss.debug","true");
System.setProperty("javax.security.auth.useSubjectCredsOnly","false");
System.setProperty("java.security.krb5.conf","krb5.conf");
Connection con = DriverManager.getConnection("jdbc:hive2://some.machine:10000/default;principal=hive/some.machine@MY_REALM");
// Do stuff with the connection
}
}
My gss-jaas.conf file looks like this:
com.sun.security.jgss.initiate {
com.sun.security.auth.module.Krb5LoginModule required
useKeyTab=true
useTicketCache=false
principal="my-account@MY_REALM"
doNotPrompt=true
keyTab="path-to-my-keytab-file"
debug=true;
};
My krb5.conf file looks like this
[libdefaults]
default_realm = MY_REALM
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
renew_lifetime = 7d
[realms]
MY_REALM = {
kdc = some.host:88
admin_server = another.host
}
My keytab file I have generated with the ktutil program using the following command
ktutil: addent -password -p username@MY_REALM -k 1 -e aes256-cts
解决方案 Apparently, this error was caused by using the wrong encryption type when issuing the ktutil command. Switching to the correct encryption (I won't mention which we use) solved the problem.
这篇关于使用带kerberos密钥表的jdbc访问配置单元Metastore的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
