Using Kerberos

Kerberos must be installed and configured before you can use this authentication mechanism. For information about configuring and operating Kerberos on Windows, see Configuring Kerberos Authentication for Windows. For other operating systems, see the MIT Kerberos documentation: http://web.mit.edu/kerberos/krb5-latest/doc/.

You provide this information to the connector in the connection URL. For more information about the syntax of the connection URL, see Building the Connection URL.

Note:

When you use this authentication mechanism, SASL is the only Thrift transport protocol that is supported. The connector uses SASL by default, so you do not need to set the transportMode property.

To configure default Kerberos authentication:

  1. Set the AuthMech property to 1.
  2. To use the default realm defined in your Kerberos setup, do not set the KrbRealm property.

    3. If your Kerberos setup does not define a default realm or if the realm of your Spark server is not the default, then set the KrbRealm property to the realm of the Spark server.

  3. Set the KrbHostFQDN property to the fully qualified domain name of the Spark server host.

For example, the following connection URL connects to a Spark server with Kerberos enabled, but without SSL enabled:

jdbc:spark://node1.example.com:10000;AuthMech=1;
KrbRealm=EXAMPLE.COM;KrbHostFQDN=node1.example.com;
KrbServiceName=spark

In this example, Kerberos is enabled for JDBC connections, the Kerberos service principal name is spark/node1.example.com@EXAMPLE.COM, the host name for the data source is node1.example.com, and the server is listening on port 10000 for JDBC connections.