Accessing hive metastore using jdbc with kerberos keytab

StackOverflow https://stackoverflow.com/questions/21375372

  •  03-10-2022
  •  | 
  •  

Question

I am trying to connect to a hive metastore that has been configured to use Kerberos for authentication. This works for me when I am not trying to use a keytab file, i.e. when the program prompts me for my password during the authentication process. When I change the configuration to use a keytab I get a long stacktrace containing among other things this statement:

Additional pre-authentication required (25) - Need to use PA-ENC-TIMESTAMP/PA-PK-AS-REQ

Can anyone give any advice on what I am doing wrong?

The context of my problem, if that is relevant, is that I want to access the hive metastore from a mapreduce job, and of course, a mapreduce job cannot answer to prompts.

My program looks like this:

package com.test;

import java.sql.Connection;
import java.sql.DriverManager;
import java.sql.ResultSet;
import java.sql.Statement;

public class HiveJDBC {

   public static void main(String[] args) throws Exception {

      Class.forName("org.apache.hive.jdbc.HiveDriver");
      System.setProperty("java.security.auth.login.config","gss-jaas.conf");
      System.setProperty("sun.security.jgss.debug","true");
      System.setProperty("javax.security.auth.useSubjectCredsOnly","false");
      System.setProperty("java.security.krb5.conf","krb5.conf");

      Connection con = DriverManager.getConnection("jdbc:hive2://some.machine:10000/default;principal=hive/some.machine@MY_REALM");

      // Do stuff with the connection
   }
}

My gss-jaas.conf file looks like this:

com.sun.security.jgss.initiate {
   com.sun.security.auth.module.Krb5LoginModule required
   useKeyTab=true
   useTicketCache=false
   principal="my-account@MY_REALM"
   doNotPrompt=true
   keyTab="path-to-my-keytab-file"
   debug=true;
};

My krb5.conf file looks like this

[libdefaults]
default_realm = MY_REALM
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
renew_lifetime = 7d

[realms]     
 MY_REALM = {
  kdc = some.host:88
  admin_server = another.host
 }

My keytab file I have generated with the ktutil program using the following command

ktutil: addent -password -p username@MY_REALM -k 1 -e aes256-cts
Was it helpful?

Solution

Apparently, this error was caused by using the wrong encryption type when issuing the ktutil command. Switching to the correct encryption (I won't mention which we use) solved the problem.

Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top