Error when connect to impala with JDBC under kerberos authrication

Forget about the Hadoop UGI: a JDBC driver just needs the raw JAAS configuration to create a Kerberos ticket on-the-fly (with useKeyTab raised and useTicketCache lowered).

System properties

java.security.krb5.conf => (optional) non-defaut Kerberos conf
java.security.auth.login.config => JAAS config file
javax.security.auth.useSubjectCredsOnly => must be forced to "false" (the default has changed in some Java release, duh)

Sample JAAS conf file, Impala/Hive Cloudera drivers
Here with a Windows path in Java-style notation.

Client {
  com.sun.security.auth.module.Krb5LoginModule
    required
  useTicketCache=false
  doNotPrompt=true
  useKeyTab=true
  keyTab="file:C:/blah/blah/dummy.keytab"
  principal="[email protected]"
  debug=false;
};

Sample JAAS conf file, Apache Hive driver
Just change section name from Client to com.sun.security.jgss.krb5.initiate
PS: you can stuff multiple sections in the same conf file; this means that you can define a "global" conf and use it with multiple tools & drivers & libs, with consistent settings.

Debugging

sun.security.krb5.debug => set to "true"
java.security.debug=> set to "gssloginconfig,configfile,configparser,logincontext"

The result is that the HOST and the FQDN in my URL are inconsistent.

Error when connect to impala with JDBC under kerberos authrication

Related

Recent Posts