Using Kerberos

Kerberos must be installed and configured before you can use this authentication mechanism. For more information, refer to the MIT Kerberos Documentation: http://web.mit.edu/kerberos/krb5-latest/doc/.

To configure Kerberos authentication:

  1. Set the AuthMech connection attribute to 1.
  2. Choose one:
    • To use the default realm defined in your Kerberos setup, do not set the KrbRealm attribute.
    • Or, if your Kerberos setup does not define a default realm or if the realm of your Spark server is not the default, then set the appropriate realm using the KrbRealm attribute.
  3. Optionally, if you are using MIT Kerberos and a Kerberos realm is specified using the KrbRealm connection attribute, then choose one:
    • To have the Kerberos layer canonicalize the server's service principal name, leave the ServicePrincipalCanonicalization attribute set to 1.
    • Or, to prevent the Kerberos layer from canonicalizing the server's service principal name, set the ServicePrincipalCanonicalization attribute to 0.
  4. Set the KrbHostFQDN attribute to the fully qualified domain name of the Spark Thrift Server host.

    5. Note:

    To use the Spark server host name as the fully qualified domain name for Kerberos authentication, set KrbHostFQDN to _HOST.

  5. Set the KrbServiceName attribute to the service name of the Spark Thrift Server.
  6. To allow the connector to pass your credentials directly to the server for use in authentication, set DelegateKrbCreds to 1.
  7. Set the ThriftTransport connection attribute to the transport protocol to use in the Thrift layer.
    8. Important:

    Important:

    When using this authentication mechanism, Binary (ThriftTransport=0) is not supported.

  8. If the Spark server is configured to use SSL, then configure SSL for the connection. For more information, see Configuring SSL Verification.

Related topics