I am trying to connect to a hive metastore that has been configured to use Kerberos for authentication. This works for me when I am not trying to use a keytab file, i.e. when the program prompts me for my password during the authentication process. When I change the configuration to use a keytab I get a long stacktrace containing among other things this statement:
Additional pre-authentication required (25) - Need to use PA-ENC-TIMESTAMP/PA-PK-AS-REQ
Can anyone give any advice on what I am doing wrong?
The context of my problem, if that is relevant, is that I want to access the hive metastore from a mapreduce job, and of course, a mapreduce job cannot answer to prompts.
My program looks like this:
package com.test;
import java.sql.Connection;
import java.sql.DriverManager;
import java.sql.ResultSet;
import java.sql.Statement;
public class HiveJDBC {
public static void main(String[] args) throws Exception {
Class.forName("org.apache.hive.jdbc.HiveDriver");
System.setProperty("java.security.auth.login.config","gss-jaas.conf");
System.setProperty("sun.security.jgss.debug","true");
System.setProperty("javax.security.auth.useSubjectCredsOnly","false");
System.setProperty("java.security.krb5.conf","krb5.conf");
Connection con = DriverManager.getConnection("jdbc:hive2://some.machine:10000/default;principal=hive/some.machine@MY_REALM");
// Do stuff with the connection
}
}
My gss-jaas.conf file looks like this:
com.sun.security.jgss.initiate {
com.sun.security.auth.module.Krb5LoginModule required
useKeyTab=true
useTicketCache=false
principal="my-account@MY_REALM"
doNotPrompt=true
keyTab="path-to-my-keytab-file"
debug=true;
};
My krb5.conf file looks like this
[libdefaults]
default_realm = MY_REALM
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
renew_lifetime = 7d
[realms]
MY_REALM = {
kdc = some.host:88
admin_server = another.host
}
My keytab file I have generated with the ktutil program using the following command
ktutil: addent -password -p username@MY_REALM -k 1 -e aes256-cts
Apparently, this error was caused by using the wrong encryption type when issuing the ktutil command. Switching to the correct encryption (I won't mention which we use) solved the problem.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With