使用 jdbc 和 kerberos 密钥表访问 hive Metastore [英] Accessing hive metastore using jdbc with kerberos keytab

问题描述

我正在尝试连接到配置为使用 Kerberos 进行身份验证的配置单元元存储.当我不尝试使用密钥表文件时，这对我有用，即当程序在身份验证过程中提示我输入密码时.当我更改配置以使用 keytab 时，我得到一个很长的堆栈跟踪，其中包含以下语句:

I am trying to connect to a hive metastore that has been configured to use Kerberos for authentication. This works for me when I am not trying to use a keytab file, i.e. when the program prompts me for my password during the authentication process. When I change the configuration to use a keytab I get a long stacktrace containing among other things this statement:

Additional pre-authentication required (25) - Need to use PA-ENC-TIMESTAMP/PA-PK-AS-REQ

任何人都可以就我做错的地方提供任何建议吗?

Can anyone give any advice on what I am doing wrong?

我的问题的上下文(如果相关的话)是我想从 mapreduce 作业访问 hive Metastore，当然，mapreduce 作业无法响应提示.

The context of my problem, if that is relevant, is that I want to access the hive metastore from a mapreduce job, and of course, a mapreduce job cannot answer to prompts.

我的程序是这样的:

package com.test;

import java.sql.Connection;
import java.sql.DriverManager;
import java.sql.ResultSet;
import java.sql.Statement;

public class HiveJDBC {

   public static void main(String[] args) throws Exception {

      Class.forName("org.apache.hive.jdbc.HiveDriver");
      System.setProperty("java.security.auth.login.config","gss-jaas.conf");
      System.setProperty("sun.security.jgss.debug","true");
      System.setProperty("javax.security.auth.useSubjectCredsOnly","false");
      System.setProperty("java.security.krb5.conf","krb5.conf");

      Connection con = DriverManager.getConnection("jdbc:hive2://some.machine:10000/default;principal=hive/some.machine@MY_REALM");

      // Do stuff with the connection
   }
}

我的 gss-jaas.conf 文件如下所示:

My gss-jaas.conf file looks like this:

com.sun.security.jgss.initiate {
   com.sun.security.auth.module.Krb5LoginModule required
   useKeyTab=true
   useTicketCache=false
   principal="my-account@MY_REALM"
   doNotPrompt=true
   keyTab="path-to-my-keytab-file"
   debug=true;
};

我的 krb5.conf 文件是这样的

My krb5.conf file looks like this

[libdefaults]
default_realm = MY_REALM
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
renew_lifetime = 7d

[realms]     
 MY_REALM = {
  kdc = some.host:88
  admin_server = another.host
 }

我使用以下命令通过 ktutil 程序生成的密钥表文件

My keytab file I have generated with the ktutil program using the following command

ktutil: addent -password -p username@MY_REALM -k 1 -e aes256-cts

推荐答案

显然，这个错误是由于在发出 ktutil 命令时使用了错误的加密类型造成的.切换到正确的加密(我不会提到我们使用的)解决了问题.

Apparently, this error was caused by using the wrong encryption type when issuing the ktutil command. Switching to the correct encryption (I won't mention which we use) solved the problem.

这篇关于使用 jdbc 和 kerberos 密钥表访问 hive Metastore的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！