We recommend switching to the latest versions of Edge, Firefox, Chrome or Safari. Using Internet Explorer will result in a loss of website functionality.

Articles in this section

See more

Using Assure Client to connect to Hive with Kerberos

Avatar
Gerard Cafaro
  • Updated
Follow

This article covers the configuration of Assure Client to connect to Hive using Kerberos. 

 

Setup considerations

Configuring Kerberos will require modifications to Assure Client's CLIENT_JAVA_OPTIONS property, which controls JVM arguments. If updated on a single-JVM installation, all control executions with the -local flag will load Kerberos. While this takes a few seconds and doesn't impact non-Kerberos database connections, it could add considerable execution time for large volumes of local control executions.

Creating a unique configuration via the init-client-config script is recommended to keep Kerberos executions and non-Kerberos executions independent. When running controls via the runcp script, you can leverage the -c <config_name> as the first parameter to control which JVM configuration to use.

If you need multiple Kerberos configurations for different connections, it is required to create individual configurations for each Kerberos configuration.

 

Setup instructions

Assure client

A one-time configuration is needed within Assure Client:

  1. Add Hive jars into <assure_client_install>\igx-data\<config_name>\IA\lib\

    Sample jars are below, but may vary by your HortonWorks/Cloudera version:

    HortonWorks
    hive-jdbc-dependencies-3.1.0.jar
    hive-jdbc-standalone-3.1.0.jar

    Cloudera
    HiveJDBC42.jar

  2. Your Kerberos admin will need to provide the keytab file and the krd5.conf file specific for your setup. Place these files in a location accessible to Assure Client and note the location for future steps.

  3. Create a file named gss-jaas.conf with the following specifications. The principal and keyTab settings will need to be updated with actual values. Check with your Kerberos admin if you are unsure what the principal account is. The location of the keytab file is the same location from the previous step.

    Hortonworks example:
    com.sun.security.jgss.initiate {
     com.sun.security.auth.module.Krb5LoginModule required
     useKeyTab=true
     useTicketCache=true
     principal="yourprincipaluser@yourcompany.com"
     keyTab="/location/to/your.keytab"
     debug=false;
    };
    Cloudera example:
    Client {
     com.sun.security.auth.module.Krb5LoginModule required
     useKeyTab=true
     useTicketCache=true
     principal="yourprincipaluser@yourcompany.com"
     keyTab="/location/to/your.keytab"
     debug=false;
    };
  4. Within <assure_client_install>\config\<config_name>\IA\client.properties, append the following JVM arguments to the CLIENT_JAVA_OPTIONS property, modifying the locations of your gss-jaas.conf and krb5.conf to their actual locations:
    -Djava.security.auth.login.config=/location/to/gss-jaas.conf
    -Djava.security.krb5.conf=/location/to/krb5.conf
    -Djavax.security.auth.useSubjectCredsOnly=false
  5. Run the deploy-client script:
    deploy-client.bat IA

    If you setup multiple Assure Client configurations, then add -c <config_name> as the first parameter:

    deploy-client.bat -c kerberos IA

Assure server 

No configuration changes are needed to the Assure server. The high-level instructions below are to create a sample layout and control to test the Assure Client configuration.

  1. Within the Assure web UI, create a database layout, specify the URL, driver class, SQL query and fields. A username and password do not need to be specified within the layout. Fields will need to be manually added in place of the Generate option.

    The URL will look similar to:
    jdbc:hive2://XXXXXXXXXXX:10000/default;principal=hive/XXXXXX@INFOGIX.COM
    The driver class is: 
    org.apache.hive.jdbc.HiveDriver
  2. Create an Assure control leveraging the layout above. The control setup is the same as a standard Assure control. 

 

Control Execution

Control execution is performed via Assure client's runcp script. The runcp script's -local flag is a requirement for the local Kerberos configuration to be leveraged. Kerberos will add extra information logging to the command output, which will not impact control execution. 

A sample command execution is below:

runcp.bat -local -entity KerberosHiveTestCE -point KerberosHiveTestCP

If you setup multiple Assure Client configurations, then add -c <config_name> as the first parameter:

runcp.bat -c kerberos -local -entity KerberosHiveTestCE -point KerberosHiveTestCP

Related articles

Comments

0 comments

Please sign in to leave a comment.