Using Kerberos

Kerberos must be installed and configured before you can use this authentication mechanism. For information about configuring and operating Kerberos on Windows, see Configuring Kerberos Authentication for Windows. For other operating systems, see the MIT Kerberos documentation: http://web.mit.edu/kerberos/krb5-latest/doc/.

You provide this information to the connector in the connection URL. For more information about the syntax of the connection URL, see Building the Connection URL.

Note:
  • This authentication mechanism is available only for Hive Server 2.
  • For this authentication mechanism, SASL and HTTP Thrift transport protocols are supported. If the transportMode property is not set, the connector defaults SASL. If the hive.server2.transport.mode property has been set to HTTP on the server side, set the transportMode property to http.

To configure default Kerberos authentication:

  1. Set the AuthMech property to 1.
  2. To use the default realm defined in your Kerberos setup, do not set the KrbRealm property.

    If your Kerberos setup does not define a default realm or if the realm of your Hive server is not the default, then set the KrbRealm property to the realm of the Hive server.

  3. Set the KrbHostFQDN property to the fully qualified domain name of the Hive server host.
  4. Optionally, specify how the connector obtains the Kerberos Subject by setting the KrbAuthType property as follows:
    • To configure the connector to automatically detect which method to use for obtaining the Subject, set the KrbAuthType property to 0. Alternatively, do not set the KrbAuthType property.
    • Or, to create a LoginContext from a JAAS configuration and then use the Subject associated with it, set the KrbAuthType property to 1.
    • Or, to create a LoginContext from a Kerberos ticket cache and then use the Subject associated with it, set the KrbAuthType property to 2.

    For more detailed information about how the connector obtains Kerberos Subjects based on these settings, see KrbAuthType.

For example, the following connection URL connects to a Hive server with Kerberos enabled, but without SSL enabled:

jdbc:hive2://node1.example.com:10000;AuthMech=1;
KrbRealm=EXAMPLE.COM;KrbHostFQDN=hs2node1.example.com;
KrbServiceName=hive;KrbAuthType=2

In this example, Kerberos is enabled for JDBC connections, the Kerberos service principal name is hive/node1.example.com@EXAMPLE.COM, the host name for the data source is node1.example.com, and the server is listening on port 10000 for JDBC connections.