I understand the behavior, but when Kerberos is enabled, isn't that a bit redundant ?
Loïc CHANEL Engineering student at TELECOM Nancy Trainee at Worldline - Villeurbanne 2015-08-26 17:53 GMT+02:00 kulkarni.swar...@gmail.com < kulkarni.swar...@gmail.com>: > > my understanding is that after using kerberos authentication, you > probably don’t need the password. > > That is not an accurate statement. Beeline is a JDBC client as compared to > Hive CLI which is a thrift client to talk to HIveServer2. So it would need > the password to establish that JDBC connection. If you look at the beeline > console code[1], it actually first tries to read the > "javax.jdo.option.ConnectionUserName" and > "javax.jdo.option.ConnectionPassword" property which is the same username > and password that you have setup your backing metastore DB with. If it is > MySWL, it would be the password you set MySQL with or empty if you > haven't(or are using derby). Kerberos is merely a tool for you to > authenticate yourself so that you cannot impersonate yourself as someone > else. > > [1] > https://github.com/apache/hive/blob/3991dba30c5068cac296f32e24e97cf87efa266c/beeline/src/java/org/apache/hive/beeline/Commands.java#L1117-L1125 > > On Wed, Aug 26, 2015 at 10:13 AM, Loïc Chanel < > loic.cha...@telecomnancy.net> wrote: > >> Here it is : https://issues.apache.org/jira/browse/HIVE-11653 >> >> Loïc CHANEL >> Engineering student at TELECOM Nancy >> Trainee at Worldline - Villeurbanne >> >> 2015-08-25 23:10 GMT+02:00 Sergey Shelukhin <ser...@hortonworks.com>: >> >>> Sure! >>> >>> From: Loïc Chanel <loic.cha...@telecomnancy.net> >>> Reply-To: "user@hive.apache.org" <user@hive.apache.org> >>> Date: Tuesday, August 25, 2015 at 00:23 >>> >>> To: "user@hive.apache.org" <user@hive.apache.org> >>> Subject: Re: HiveServer2 & Kerberos >>> >>> It is the case. >>> Would you like me to fill a JIRA about it ? >>> >>> Loïc CHANEL >>> Engineering student at TELECOM Nancy >>> Trainee at Worldline - Villeurbanne >>> >>> 2015-08-24 19:24 GMT+02:00 Sergey Shelukhin <ser...@hortonworks.com>: >>> >>>> If that is the case it sounds like a bug… >>>> >>>> From: Jary Du <jary...@gmail.com> >>>> Reply-To: "user@hive.apache.org" <user@hive.apache.org> >>>> Date: Thursday, August 20, 2015 at 08:56 >>>> To: "user@hive.apache.org" <user@hive.apache.org> >>>> Subject: Re: HiveServer2 & Kerberos >>>> >>>> My understanding is that it will always ask you user/password even >>>> though you don’t need them. It is just the way how hive is setup. >>>> >>>> On Aug 20, 2015, at 8:28 AM, Loïc Chanel <loic.cha...@telecomnancy.net> >>>> wrote: >>>> >>>> !connect jdbc:hive2:// >>>> 192.168.6.210:10000/db;principal=hive/hiveh...@westeros.wl >>>> org.apache.hive.jdbc.HiveDriver >>>> scan complete in 13ms >>>> Connecting to jdbc:hive2:// >>>> 192.168.6.210:10000/db;principal=hive/hiveh...@westeros.wl >>>> Enter password for jdbc:hive2:// >>>> 192.168.6.210:10000/chaneldb;principal=hive/hiveh...@westeros.wl: >>>> >>>> And if I press enter everything works perfectly, because I am using >>>> Kerberos authentication, that's actually why I was asking what is Hive >>>> asking for, because in my case, it seems that I shouldn't be asked for a >>>> password when connecting. >>>> >>>> Loïc CHANEL >>>> Engineering student at TELECOM Nancy >>>> Trainee at Worldline - Villeurbanne >>>> >>>> 2015-08-20 17:06 GMT+02:00 Jary Du <jary...@gmail.com>: >>>> >>>>> How does Beeline ask you? What happens if you just press enter? >>>>> >>>>> >>>>> >>>>> On Aug 20, 2015, at 12:15 AM, Loïc Chanel < >>>>> loic.cha...@telecomnancy.net> wrote: >>>>> >>>>> Indeed, I don't need the password, but why is Beeline asking me for >>>>> one ? To what does it correspond ? >>>>> >>>>> Thanks again, >>>>> >>>>> >>>>> Loïc >>>>> >>>>> Loïc CHANEL >>>>> Engineering student at TELECOM Nancy >>>>> Trainee at Worldline - Villeurbanne >>>>> >>>>> 2015-08-19 18:22 GMT+02:00 Jary Du <jary...@gmail.com>: >>>>> >>>>>> Correct me if I am wrong, my understanding is that after using >>>>>> kerberos authentication, you probably don’t need the password. >>>>>> >>>>>> Hope it helps >>>>>> >>>>>> Thanks, >>>>>> Jary >>>>>> >>>>>> >>>>>> On Aug 19, 2015, at 9:09 AM, Loïc Chanel < >>>>>> loic.cha...@telecomnancy.net> wrote: >>>>>> >>>>>> By the way, thanks a lot for your help, because your solution works, >>>>>> but I'm still interested in knowing what is the password I did not enter. >>>>>> >>>>>> Thanks again, >>>>>> >>>>>> >>>>>> Loïc >>>>>> >>>>>> Loïc CHANEL >>>>>> Engineering student at TELECOM Nancy >>>>>> Trainee at Worldline - Villeurbanne >>>>>> >>>>>> 2015-08-19 18:07 GMT+02:00 Loïc Chanel <loic.cha...@telecomnancy.net> >>>>>> : >>>>>> >>>>>>> All right, but then, what is the password hive asks for ? Hive's one >>>>>>> ? How do I know its value ? >>>>>>> >>>>>>> Loïc CHANEL >>>>>>> Engineering student at TELECOM Nancy >>>>>>> Trainee at Worldline - Villeurbanne >>>>>>> >>>>>>> 2015-08-19 17:51 GMT+02:00 Jary Du <jary...@gmail.com>: >>>>>>> >>>>>>>> For Beeline connection string, it should be "!connect >>>>>>>> jdbc:hive2://<host>:<port>/<db>;principal=<Server_Principal_of_HiveServer2>”. >>>>>>>> Please >>>>>>>> make sure it is the hive’s principal, not the user’s. And when you >>>>>>>> kinit, >>>>>>>> it should be kinit user’s keytab, not the hive’s keytab. >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> On Aug 19, 2015, at 8:46 AM, Loïc Chanel < >>>>>>>> loic.cha...@telecomnancy.net> wrote: >>>>>>>> >>>>>>>> Yeah, I forgot to mention it, but each time I did a kinit user/hive >>>>>>>> before launching beeline, as I read somewhere that Beeline does not >>>>>>>> handle >>>>>>>> Kerberos connection. >>>>>>>> >>>>>>>> So, as I can make klist before launching beeline and having a good >>>>>>>> result, the problem does not come from this. Thanks a lot for your >>>>>>>> response >>>>>>>> though. >>>>>>>> Do you have another idea ? >>>>>>>> >>>>>>>> Loïc CHANEL >>>>>>>> Engineering student at TELECOM Nancy >>>>>>>> Trainee at Worldline - Villeurbanne >>>>>>>> >>>>>>>> 2015-08-19 17:42 GMT+02:00 Jary Du <jary...@gmail.com>: >>>>>>>> >>>>>>>>> "The Beeline client must have a valid Kerberos ticket in the >>>>>>>>> ticket cache before attempting to connect." ( >>>>>>>>> http://docs.hortonworks.com/HDPDocuments/HDP2/HDP-2.1.3/bk_dataintegration/content/ch_using-hive-clients-examples.html >>>>>>>>> ) >>>>>>>>> >>>>>>>>> So you need kinit first to have the valid Kerberos ticket int the >>>>>>>>> ticket cache before using beeline to connect to HS2. >>>>>>>>> >>>>>>>>> Jary >>>>>>>>> >>>>>>>>> On Aug 19, 2015, at 8:36 AM, Loïc Chanel < >>>>>>>>> loic.cha...@telecomnancy.net> wrote: >>>>>>>>> >>>>>>>>> Hi again, >>>>>>>>> >>>>>>>>> As I searched another way to make some requests with Kerberos >>>>>>>>> enabled for security on HiveServer, I found that this request should >>>>>>>>> do the >>>>>>>>> same : >>>>>>>>> !connect jdbc:hive2:// >>>>>>>>> 192.168.6.210:10000/default;principal=user/h...@westeros.wl >>>>>>>>> org.apache.hive.jdbc.HiveDriver >>>>>>>>> But now I've got another error : >>>>>>>>> Error: Could not open client transport with JDBC Uri: jdbc:hive2:// >>>>>>>>> 192.168.6.210:10000/default;principal=user/h...@westeros.wl: Peer >>>>>>>>> indicated failure: GSS initiate failed (state=08S01,code=0) >>>>>>>>> >>>>>>>>> As I saw that it was maybe a simple Kerberos ticket related >>>>>>>>> problem, I tried to re-generate Kerberos keytabs, and to ensure that >>>>>>>>> Hive >>>>>>>>> has the path to access to its keytab, but nothing changed. >>>>>>>>> >>>>>>>>> Does anyone has an idea about how to solve this issue ? >>>>>>>>> >>>>>>>>> Thanks in advance for your help :) >>>>>>>>> >>>>>>>>> >>>>>>>>> Loïc >>>>>>>>> >>>>>>>>> Loïc CHANEL >>>>>>>>> Engineering student at TELECOM Nancy >>>>>>>>> Trainee at Worldline - Villeurbanne >>>>>>>>> >>>>>>>>> 2015-08-19 12:01 GMT+02:00 Loïc Chanel < >>>>>>>>> loic.cha...@telecomnancy.net>: >>>>>>>>> >>>>>>>>>> Hi all, >>>>>>>>>> >>>>>>>>>> I have a little issue with HiveServer2 since I have enabled >>>>>>>>>> Kerberos. I'm unable to connect to the service via Beeline. When >>>>>>>>>> doing >>>>>>>>>> !connect jdbc:hive2://192.168.6.210:10000 hive hive >>>>>>>>>> org.apache.hive.jdbc.HiveDriver >>>>>>>>>> I keep receiving the same error : >>>>>>>>>> Error: Could not open client transport with JDBC Uri: >>>>>>>>>> jdbc:hive2://192.168.6.210:10000: Peer indicated failure: >>>>>>>>>> Unsupported mechanism type PLAIN (state=08S01,code=0) >>>>>>>>>> >>>>>>>>>> Does anyone had the same problem ? Or know how to solve it ? >>>>>>>>>> Thanks in advance, >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> Loïc >>>>>>>>>> >>>>>>>>>> Loïc CHANEL >>>>>>>>>> Engineering student at TELECOM Nancy >>>>>>>>>> Trainee at Worldline - Villeurbanne >>>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>> >>>>>>>> >>>>>>> >>>>>> >>>>>> >>>>> >>>>> >>>> >>>> >>> >> > > > -- > Swarnim >