Linux ODBC connectivity to Kerberos enabled hive - issues an

Posted by alain.charroux@sap.com on 08-Nov-2017 07:50

Hi,

I am not able to find details on ODBC.ini settings in linux to connect to kerberos enabled hive cluster. I tried variout things and have seen these pages: 

knowledgebase.progress.com/.../Connection-fails-using-Kerberos-Authentication-with-ConnectXE-for-ODBC-Apache-Hive-driv
er
https://documentation.progress.com/output/DataDirect/odbchivehelp/index.html#page/odbchive/summary-of-security-related-options.html

But I am not sure where to store GSS client library in case of linux and if anything else is needed. Currently i m either getting the error : 

Error Message from ODBC: Connection failed: [ODBC 20101 driver]170Unsupported mechanism type PLAIN

OR sometimes i m getting invalid hiverserver host or port .

Any clues ?

Thanks,

Priti

All Replies

Posted by csands on 08-Nov-2017 09:12

Example, replace values with your installation settings.

AuthenticationMethod=4

ServicePrincipalName=hive/fqhostname@REALM

GSSClient=/usr/lib/gss/libgssapi_krb5_64.so

HostName=hive_database_ipaddress/host

PortNumber=10000
Database=default

Posted by csands on 08-Nov-2017 09:21

From the ODBC User's Guide and Reference for Apache Hive

Service Principal Name

Attribute

ServicePrincipalName (SPN)

Purpose

The service principal name to be used by driver for Kerberos authentication.

Valid Values

ServicePrincipalName

where:

ServicePrincipalName

is the three-part service principal name registered with the key distribution center (KDC).

Note: Your service principal name is the value of the hive.server2.authentication.kerberos.principal property in the hive-site.xml file.

You must specify the service principal name using the following format:

Service_Name/Fully_Qualified_Domain_Name@REALM.COM

where:

Service_Name

is the name of the service hosting the instance. For example, yourservicename.

Depending on the Hive distribution you use, the name of the service is defined either automatically by the server or manually by the user who created the service. For instance, CDH distributions automatically generate a service name of hive, while Apache Hadoop distributions require that the service name be manually defined by the user. Refer to your distribution's documentation for additional information.

Fully_Qualified_Domain_Name

is the fully qualified domain name of the host machine. For example, yourserver.example.com.

REALM.COM

is the domain name of the host machine. This part of the value must be specified in upper-case characters. For example, EXAMPLE.COM.

Example

The following is an example of a valid service principal name:

yourservicename/yourserver.example.com@EXAMPLE.COM

Notes

*If unspecified, the value of the Network Address option is used as the service principal name.

*If Authentication Method is set to 0 or -1, the value of the Service Principal Name option is ignored.

Default

None

GUI Tab

-------------

Authentication Method

Attribute

AuthenticationMethod (AM)

Purpose

Specifies the method the driver uses to authenticate the user to the server when a connection is established. If the specified authentication method is not supported by the database server, the connection fails and the driver generates an error.

Valid Values

0 | 4 | -1

Behavior

If set to 0 (User ID/Password), the driver sends the user ID in clear text and an encrypted password to the server for authentication.

If set to 4 (Kerberos Authentication), the driver uses Kerberos authentication. This method supports both Windows Active Directory Kerberos and MIT Kerberos environments.

If set to -1 (No Authentication), the driver sends the user ID and password in clear text to the server for authentication.

Default

0 (User ID/Password)

GUI Tab

----------

GSS Client Library

Attribute

GSSClient (GSSC)

Purpose

The name of the GSS client library that the driver uses to communicate with the Key Distribution Center (KDC).

The driver uses the path defined by the PATH environment variable for loading the specified client library.

Valid Values

native | client_library

where:

client_library

is a GSS client library installed on the client.

Behavior

If set to client_library, the driver uses the specified GSS client library.

Note: For MIT Kerberos distributions, you must provide a full path to the MIT Library. For example, the 64-bit version for Windows would use the following value: C:\Program Files\MIT\Kerberos\bin\gssapi64.dll.

If set to native, the driver uses the GSS client for Windows Kerberos. All other users must provide the full path to the library name.

Default

native

GUI Tab

Security tab

Posted by alain.charroux@sap.com on 07-Mar-2018 09:06

Sorry for coming back after long time...

But followed all the steps as siggested including the GSS lib path.

Jdbc to hive via beeline works in hadoop cluster.

Where as using DD odbc.ini with the suggested values the error comes as ‘170Unsupported mechanism type PLAIN’ .

So i tried to change ‘AuthenticationMethod’ to ‘1’ as some progress documentation suggests vcalue 1 for Kerberos.

The error then in ‘Kerberos Protocol error’.

I wonder if anyone has tried this combination with datadirect connect odbc drivers from linux.

My KDC Type is MIT. And there is hardly any good documentation for this combination.

Kindly suggest what could be wrong now!

Thanks

Priti

Posted by csands on 07-Mar-2018 12:45

Ok with this error message unsupported Plain, you are trying to connect without any kind of security.

So good news is it looks like you are are going to the right server and port.

I need the following and I can help you:

1)  the ODBC.INI  file from client  you are using when setup for Kerberos.

2) the connect string you are using in beeline.

3)   the  Krb5.conf   file from the  client system.

4) the krb5.ini  file from the hive system.

5) the  Env from the client system. i.e. run   setenv

6)  klist -e from client system were you have a valid kerberos ticket.

7)  kilst -e from from the hive system where you have a ticket and the beeline just worked.

Posted by csands on 08-Mar-2018 08:18

sorry typo (not krb5.ini) , both client and server   krb5.conf files

This thread is closed