Hi All,
I am having a kerberized HDP 2.5.
I am doing Kerberos SPNEGO authentication from browser(on a client machine
where I did the kinit and have a valid Kerberos ticket in the ticket cache) and
able to get the org.ietf.jgss.GSSCredential in my web application (hosted on a
different node).
FLOW:
---
Hitting the web app URL I get the challenge response header WWW-Authenticate:
Negotiate and then the browser uses GSS-API to load the user's Kerberos ticket
from ticket cache of the form Authorization: Negotiate YII. This works
perfectly fine and I am authenticated via Kerberos and landed up in my web app.
On the web app I get this *org.ietf.jgss.GSSCredential* and now want to figure
out how this org.ietf.jgss.GSSCredential can be used to access Hive Server2 via
JDBC (without doing a kinit).
I see code like from Cloudera JDBC Driver for Impala :
jdbc:impala://node1.example.com:21050;AuthMech=1;KrbRealm=EXAMPLE.COM;KrbHostFQDN=node1.example.com;KrbServiceName=impala
https://www.cloudera.com/documentation/other/connectors/impala-jdbc/latest/Cloudera-JDBC-Driver-for-Impala-Install-Guide.pdf
And Simba driver for Impala
--
GSSCredential userCredential = [GSSCredential]
Driver driver = (Driver)
Class.forName("com.simba.impala.jdbc41.Driver").newInstance();
Properties properties = new Properties();
properties.put("userGSSCredential", userCredential);
Connection conn =
driver.connect("jdbc:impala://node1.example.com:21050;AuthMech=1;KrbRealm=EXAMPLE.COM;KrbHostFQDN=node1.example.com;KrbServiceName=impala"
,properties);
http://www.simba.com/products/Impala/doc/JDBC_InstallGuide/content/jdbc/im/authenticating/delegatedkerberos.htm
Simba driver for Hive
-
jdbc:hive2://node1.example.com:1;AuthMech=1;KrbRealm=EXAMPLE.COM;KrbHostFQDN=hs2node1.example.com;KrbServiceName=hive;KrbAuthType=2
http://www.simba.com/products/Hive/doc/JDBC_InstallGuide/content/jdbc/hi/authenticating/kerberos.htm
I am using HDP 2.5 and hence using the "org.apache.hive.jdbc.HiveDriver".
Not sure if the "org.apache.hive.jdbc.HiveDriver" supports the JDBC Urls that
somehow allow me to use org.ietf.jgss.GSSCredential.
I did not find any mentions on the Apache Hive docs.
Correct me if I am wrong I am thinking of ways to pass
*org.ietf.jgss.GSSCredential* via GSS API calls to access Hive Server 2 jdbc?
I am not sure about this too.
Any pointers or examples would be of great help here.
Thanks,
-Nirmal
NOTE: This message may contain information that is confidential, proprietary,
privileged or otherwise protected by law. The message is intended solely for
the named addressee. If received in error, please destroy and notify the
sender. Any use of this email is prohibited when received in error. Impetus
does not represent, warrant and/or guarantee, that the integrity of this
communication has been maintained nor that the communication is free of errors,
virus, interception or interference.