Integrating Hive and Kerberos in MapR cluster

-


1. Configure kerberos client

Copy the krb5.conf from to client /etc/krb5.conf

(or)

Edit the parameters as example shown below

[mapr@srini-node1 bin]$ cat /etc/krb5.conf
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log

[libdefaults]
default_realm = EXAMPLE.COM
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true

[realms]
EXAMPLE.COM = {
kdc = krbserv.example.com
admin_server = krbserv.example.com
}

[domain_realm]
.example.com = EXAMPLE.COM
krbserv.example.com = EXAMPLE.COM

2. Add the host principal for client in kerberos server

addprinc mapr

addprinc mapr/srini-node1.example.com

Enter the password and confirm

List the principal by using listprincs and make sure the principal present

3. Check in client side by initiating kerberos ticket

kinit

use the password while creating the principal for the user

You must be able to login without any issue.

If you are facing any issue like "{password incorrect}"

change password from kadmin for that user using below command

change_password <user name>


Generate the keytab file for mapr user from kadmin shell

xst -norandkey -k /opt/mapr.keytab mapr/srini-node1.example.com@EXAMPLE.COM HTTP/srini-node1.example.com@EXAMPLE.COM

use this keytab file for configuring hive services [ scp to the hiveserver / metastore node ]

4. Integrating mapr hive with kerberos

stop the hivemetastore

stop the hiveserver2

edit hive-site.xml and add below properties

<! For Hive metastore kerberos -->

<property>
<name>hive.metastore.sasl.enabled</name>
<value>true</value>
<description>if true, the metastore thrift interface will be secured with SASL.</description>
</property>

<property>
<name>hive.metastore.kerberos.keytab.file</name>
<value>/opt/mapr/conf/metastore.keytab</value>
<description>The path to the Kerberos Keytab file containing the metastore thrift servers service principal.</description>          
</property>

<property>
<name>hive.metastore.kerberos.principal</name>
<value>mapr/srini-node1.example.com@EXAMPLE.COM</value>
<description>The service principal for the metastore thrift server. The special string _HOST will be replaced automatically with the correct hostname.</description>
</property>

<! For Hive server2 kerberos -->

<property>
<name>hive.server2.authentication</name>
<value>KERBEROS</value>
<description>authenticationtype</description>
</property>

<property>
<name>hive.server2.authentication.kerberos.principal</name>
<value>mapr/srini-node1.example@EXAMPLE.COM</value>
<description>HiveServer2 principal. If _HOST is used as the FQDN portion, it will be replaced with the actual hostname of the running instance.</description>
</property>

<property>
<name>hive.server2.authentication.kerberos.keytab</name>
<value>/opt/mapr/conf/hive.keytab</value>
<description>Keytab file for HiveServer2 principal</description>
</property>

4. Edit the /opt/mapr/conf/env.sh file and add / modify the below parameters

MAPR_HIVE_LOGIN _OPTS to "-Dhadoop.login=hybrid"
MAPR_HIVE_SERVER_LOGIN_OPTS to "-Dhadoop.login=hybrid"

MAPR_HIVE_SEVER_LOGIN_OPTS="-Dhadoop.login=hybrid"
MAPR_HIVE_LOGIN_OPTS="-Dhadoop.login=hybrid"

These configuration are listed in the portion of the file that begins with if [ "$MAPR_SECURITY_STATUS" = "true" ];

HADOOP_OPTS="$HADOOP_OPTS${KERBEROS_LOGIN_OPTS}"


5. start the hivemetatore by using below command

maprcli node services -name hivemetatore -action restart -nodes <comma separated list of nodes>

6. Start the hiveserver2 by using below command

maprcli node services -name hs2 -action restart -nodes <comma separated list of nodes>

7. Connect and check from hive shell

switch as mapr user
Generate maprlogin ticket if required
Generate kerberos keytab using kinit
then start hive shell

8. Connect using beeline shell

./beeline
beeline> !connect jdbc:hive2://srini-node1.example.com:10000/default;principal=mapr/srini-node1.example.com@EXAMPLE.COM
pass user name and password

========================================================================
Location: India

Comments

Post a Comment

Popular posts from this blog

Querying MapR DB tables from Drill

-
1. Create a storage plugin for maprDB in drill Web UI {     "type" : "hbase",      "enabled" : true,               config" : { "hbase.table.namespace.mappings" : "*:/tables" #Change the path where you have mapr tables } } 2. Connect to drill ./sqline !connect jdbc:drill:zk=10.10.71.12:5181   sqlline> !connect jdbc:drill:zk=10.10.71.12:5181 scan complete in 406ms Enter username for jdbc:drill:zk=10.10.71.12:5181: mapr Enter password for jdbc:drill:zk=10.10.71.12:5181: **** 0: jdbc:drill:zk=10.10.71.12:5181> 3. Change the storage plugin to maprdb (or the name you have given) 0: jdbc:drill:zk=10.10.71.12:5181> use maprdb; +-------+-------------------------------------+ |  ok   |               summary               | +-------+-------------------------------------+ | true ...
Read more

OpenSSL Certificate creations

-
Create Self Signed Certificate Here are the steps involved in creating self signed certificate a) Create a key b) Generate Certificate Sign request .csr c) Sign your certificate (As it is self signed) a) Create a key Create a directory first (to avoid confusions) #mkdir certificates #cd certificates Generate key file #openssl genrsa 1024 > private.key b) Generate Certificate Sign request .csr #openssl req -new -key private.key > certrequest.csr c) Sign your certificate (As it is self Signed) #openssl x509 -in certrequest.csr -out selfsigned.crt -req -signkey private.key -days 365 Here the -days is the number of days denotes the validity of certificate Once after this we can get the certificate as file "selfsigned.crt"
Read more

HTTP Fs Installation

-
Some steps are specific to MapR Cluster. Ignore those steps. 1. Setup Yum repositories for MapR 2. Check for the packages           yum list mapr-httpfs 3. Install ==> yum install mapr-httpfs 4. Configure the core-site.xml and httpfs-site.xml properties to add impersonations                                                 <property>         <name>hadoop.proxyuser.#HTTPFSUSER#.hosts</name>         <value>httpfs-host.foo.com</value>        </property>         <property>             <name>hadoop.proxyuser.#HTTPFSUSER#.groups</name>     ...
Read more