The prompts are a waste of time when kerberised - you can just hit enter twice at them once you have a ticket, so what's the point? I think the JIRA is valid (but if I recall correctly it is also a duplicate of an existing one).
Sent from my Windows Phone ________________________________ From: Rahul Sharma<mailto:kippy....@gmail.com> Sent: 26/08/2015 17:53 To: user@hive.apache.org<mailto:user@hive.apache.org> Subject: Re: HiveServer2 & Kerberos Even I (and a few others I know in different orgs) have been confused by the password prompts. So looking at the multiple users using their own credentials to authenticate, would that mean Kerberos is not used for authentication? Only for Authorization? In which case what will the authorization be verified against? The credentials user supplied or the principal that was supplied? At the risk of sounding too naive: * How is kerberos used with HiveServer2? Is it only used for secure (as in authenticated, authorized) communication with metastore and hadoop services? In which case having different user name and password for the user to login would make sense. * If its also used for authenticate/authorize the JDBC connection, then wouldn't separate keytabs/principals solve the multiple users use case? Again, my apologies if the questions are too naive. The docs, didn't answers these questions. I would be happy to help update them if others feel the questions are valid. On Wed, Aug 26, 2015 at 9:01 AM, kulkarni.swar...@gmail.com<mailto:kulkarni.swar...@gmail.com> <kulkarni.swar...@gmail.com<mailto:kulkarni.swar...@gmail.com>> wrote: Nope. Because the credentials are different. You might have multiple users using there own credentials to authenticate themselves but there are only single defined credentials to be used by the metastore server. On Wed, Aug 26, 2015 at 10:58 AM, Loïc Chanel <loic.cha...@telecomnancy.net<mailto:loic.cha...@telecomnancy.net>> wrote: I understand the behavior, but when Kerberos is enabled, isn't that a bit redundant ? Loïc CHANEL Engineering student at TELECOM Nancy Trainee at Worldline - Villeurbanne 2015-08-26 17:53 GMT+02:00 kulkarni.swar...@gmail.com<mailto:kulkarni.swar...@gmail.com> <kulkarni.swar...@gmail.com<mailto:kulkarni.swar...@gmail.com>>: > my understanding is that after using kerberos authentication, you probably > don’t need the password. That is not an accurate statement. Beeline is a JDBC client as compared to Hive CLI which is a thrift client to talk to HIveServer2. So it would need the password to establish that JDBC connection. If you look at the beeline console code[1], it actually first tries to read the "javax.jdo.option.ConnectionUserName" and "javax.jdo.option.ConnectionPassword" property which is the same username and password that you have setup your backing metastore DB with. If it is MySWL, it would be the password you set MySQL with or empty if you haven't(or are using derby). Kerberos is merely a tool for you to authenticate yourself so that you cannot impersonate yourself as someone else. [1] https://github.com/apache/hive/blob/3991dba30c5068cac296f32e24e97cf87efa266c/beeline/src/java/org/apache/hive/beeline/Commands.java#L1117-L1125 On Wed, Aug 26, 2015 at 10:13 AM, Loïc Chanel <loic.cha...@telecomnancy.net<mailto:loic.cha...@telecomnancy.net>> wrote: Here it is : https://issues.apache.org/jira/browse/HIVE-11653 Loïc CHANEL Engineering student at TELECOM Nancy Trainee at Worldline - Villeurbanne 2015-08-25 23:10 GMT+02:00 Sergey Shelukhin <ser...@hortonworks.com<mailto:ser...@hortonworks.com>>: Sure! From: Loïc Chanel <loic.cha...@telecomnancy.net<mailto:loic.cha...@telecomnancy.net>> Reply-To: "user@hive.apache.org<mailto:user@hive.apache.org>" <user@hive.apache.org<mailto:user@hive.apache.org>> Date: Tuesday, August 25, 2015 at 00:23 To: "user@hive.apache.org<mailto:user@hive.apache.org>" <user@hive.apache.org<mailto:user@hive.apache.org>> Subject: Re: HiveServer2 & Kerberos It is the case. Would you like me to fill a JIRA about it ? Loïc CHANEL Engineering student at TELECOM Nancy Trainee at Worldline - Villeurbanne 2015-08-24 19:24 GMT+02:00 Sergey Shelukhin <ser...@hortonworks.com<mailto:ser...@hortonworks.com>>: If that is the case it sounds like a bug… From: Jary Du <jary...@gmail.com<mailto:jary...@gmail.com>> Reply-To: "user@hive.apache.org<mailto:user@hive.apache.org>" <user@hive.apache.org<mailto:user@hive.apache.org>> Date: Thursday, August 20, 2015 at 08:56 To: "user@hive.apache.org<mailto:user@hive.apache.org>" <user@hive.apache.org<mailto:user@hive.apache.org>> Subject: Re: HiveServer2 & Kerberos My understanding is that it will always ask you user/password even though you don’t need them. It is just the way how hive is setup. On Aug 20, 2015, at 8:28 AM, Loïc Chanel <loic.cha...@telecomnancy.net<mailto:loic.cha...@telecomnancy.net>> wrote: !connect jdbc:hive2://192.168.6.210:10000/db;principal=hive/hiveh...@westeros.wl<http://192.168.6.210:10000/db;principal=hive/hiveh...@westeros.wl> org.apache.hive.jdbc.HiveDriver scan complete in 13ms Connecting to jdbc:hive2://192.168.6.210:10000/db;principal=hive/hiveh...@westeros.wl<http://192.168.6.210:10000/db;principal=hive/hiveh...@westeros.wl> Enter password for jdbc:hive2://192.168.6.210:10000/chaneldb;principal=hive/hiveh...@westeros.wl<http://192.168.6.210:10000/chaneldb;principal=hive/hiveh...@westeros.wl>: And if I press enter everything works perfectly, because I am using Kerberos authentication, that's actually why I was asking what is Hive asking for, because in my case, it seems that I shouldn't be asked for a password when connecting. Loïc CHANEL Engineering student at TELECOM Nancy Trainee at Worldline - Villeurbanne 2015-08-20 17:06 GMT+02:00 Jary Du <jary...@gmail.com<mailto:jary...@gmail.com>>: How does Beeline ask you? What happens if you just press enter? On Aug 20, 2015, at 12:15 AM, Loïc Chanel <loic.cha...@telecomnancy.net<mailto:loic.cha...@telecomnancy.net>> wrote: Indeed, I don't need the password, but why is Beeline asking me for one ? To what does it correspond ? Thanks again, Loïc Loïc CHANEL Engineering student at TELECOM Nancy Trainee at Worldline - Villeurbanne 2015-08-19 18:22 GMT+02:00 Jary Du <jary...@gmail.com<mailto:jary...@gmail.com>>: Correct me if I am wrong, my understanding is that after using kerberos authentication, you probably don’t need the password. Hope it helps Thanks, Jary On Aug 19, 2015, at 9:09 AM, Loïc Chanel <loic.cha...@telecomnancy.net<mailto:loic.cha...@telecomnancy.net>> wrote: By the way, thanks a lot for your help, because your solution works, but I'm still interested in knowing what is the password I did not enter. Thanks again, Loïc Loïc CHANEL Engineering student at TELECOM Nancy Trainee at Worldline - Villeurbanne 2015-08-19 18:07 GMT+02:00 Loïc Chanel <loic.cha...@telecomnancy.net<mailto:loic.cha...@telecomnancy.net>>: All right, but then, what is the password hive asks for ? Hive's one ? How do I know its value ? Loïc CHANEL Engineering student at TELECOM Nancy Trainee at Worldline - Villeurbanne 2015-08-19 17:51 GMT+02:00 Jary Du <jary...@gmail.com<mailto:jary...@gmail.com>>: For Beeline connection string, it should be "!connect jdbc:hive2://<host>:<port>/<db>;principal=<Server_Principal_of_HiveServer2>”. Please make sure it is the hive’s principal, not the user’s. And when you kinit, it should be kinit user’s keytab, not the hive’s keytab. On Aug 19, 2015, at 8:46 AM, Loïc Chanel <loic.cha...@telecomnancy.net<mailto:loic.cha...@telecomnancy.net>> wrote: Yeah, I forgot to mention it, but each time I did a kinit user/hive before launching beeline, as I read somewhere that Beeline does not handle Kerberos connection. So, as I can make klist before launching beeline and having a good result, the problem does not come from this. Thanks a lot for your response though. Do you have another idea ? Loïc CHANEL Engineering student at TELECOM Nancy Trainee at Worldline - Villeurbanne 2015-08-19 17:42 GMT+02:00 Jary Du <jary...@gmail.com<mailto:jary...@gmail.com>>: "The Beeline client must have a valid Kerberos ticket in the ticket cache before attempting to connect." (http://docs.hortonworks.com/HDPDocuments/HDP2/HDP-2.1.3/bk_dataintegration/content/ch_using-hive-clients-examples.html) So you need kinit first to have the valid Kerberos ticket int the ticket cache before using beeline to connect to HS2. Jary On Aug 19, 2015, at 8:36 AM, Loïc Chanel <loic.cha...@telecomnancy.net<mailto:loic.cha...@telecomnancy.net>> wrote: Hi again, As I searched another way to make some requests with Kerberos enabled for security on HiveServer, I found that this request should do the same : !connect jdbc:hive2://192.168.6.210:10000/default;principal=user/h...@westeros.wl<http://192.168.6.210:10000/default;principal=user/h...@westeros.wl> org.apache.hive.jdbc.HiveDriver But now I've got another error : Error: Could not open client transport with JDBC Uri: jdbc:hive2://192.168.6.210:10000/default;principal=user/h...@westeros.wl<http://192.168.6.210:10000/default;principal=user/h...@westeros.wl>: Peer indicated failure: GSS initiate failed (state=08S01,code=0) As I saw that it was maybe a simple Kerberos ticket related problem, I tried to re-generate Kerberos keytabs, and to ensure that Hive has the path to access to its keytab, but nothing changed. Does anyone has an idea about how to solve this issue ? Thanks in advance for your help :) Loïc Loïc CHANEL Engineering student at TELECOM Nancy Trainee at Worldline - Villeurbanne 2015-08-19 12:01 GMT+02:00 Loïc Chanel <loic.cha...@telecomnancy.net<mailto:loic.cha...@telecomnancy.net>>: Hi all, I have a little issue with HiveServer2 since I have enabled Kerberos. I'm unable to connect to the service via Beeline. When doing !connect jdbc:hive2://192.168.6.210:10000<http://192.168.6.210:10000/> hive hive org.apache.hive.jdbc.HiveDriver I keep receiving the same error : Error: Could not open client transport with JDBC Uri: jdbc:hive2://192.168.6.210:10000<http://192.168.6.210:10000/>: Peer indicated failure: Unsupported mechanism type PLAIN (state=08S01,code=0) Does anyone had the same problem ? Or know how to solve it ? Thanks in advance, Loïc Loïc CHANEL Engineering student at TELECOM Nancy Trainee at Worldline - Villeurbanne -- Swarnim -- Swarnim Registered in England and Wales at Players House, 300 Attercliffe Common, Sheffield, S9 2AG. Company number 05935923. This email and its attachments are confidential and are intended solely for the use of the addressed recipient. Any views or opinions expressed are those of the author and do not necessarily represent Jaywing. If you are not the intended recipient, you must not forward or show this to anyone or take any action based upon it. Please contact the sender if you received this in error.