This article covers the configuration of Assure Client to connect to Hive using Kerberos.
Setup considerations
Configuring Kerberos will require modifications to Assure Client's CLIENT_JAVA_OPTIONS property, which controls JVM arguments. If updated on a single-JVM installation, all control executions with the -local flag will load Kerberos. While this takes a few seconds and doesn't impact non-Kerberos database connections, it could add considerable execution time for large volumes of local control executions.
Creating a unique configuration via the init-client-config script is recommended to keep Kerberos executions and non-Kerberos executions independent. When running controls via the runcp script, you can leverage the -c <config_name>
as the first parameter to control which JVM configuration to use.
If you need multiple Kerberos configurations for different connections, it is required to create individual configurations for each Kerberos configuration.
Setup instructions
Assure client
A one-time configuration is needed within Assure Client:
- Add Hive jars into
<assure_client_install>\igx-data\<config_name>\IA\lib\
Sample jars are below, but may vary by your HortonWorks/Cloudera version:
HortonWorks
hive-jdbc-dependencies-3.1.0.jar
hive-jdbc-standalone-3.1.0.jar
Cloudera
HiveJDBC42.jar - Your Kerberos admin will need to provide the keytab file and the krd5.conf file specific for your setup. Place these files in a location accessible to Assure Client and note the location for future steps.
- Create a file named gss-jaas.conf with the following specifications. The principal and keyTab settings will need to be updated with actual values. Check with your Kerberos admin if you are unsure what the principal account is. The location of the keytab file is the same location from the previous step.
Hortonworks example:
com.sun.security.jgss.initiate {
Cloudera example:
com.sun.security.auth.module.Krb5LoginModule required
useKeyTab=true
useTicketCache=true
principal="yourprincipaluser@yourcompany.com"
keyTab="/location/to/your.keytab"
debug=false;
};
Client {
com.sun.security.auth.module.Krb5LoginModule required
useKeyTab=true
useTicketCache=true
principal="yourprincipaluser@yourcompany.com"
keyTab="/location/to/your.keytab"
debug=false;
}; - Within
<assure_client_install>\config\<config_name>\IA\client.properties
, append the following JVM arguments to the CLIENT_JAVA_OPTIONS property, modifying the locations of your gss-jaas.conf and krb5.conf to their actual locations:
-Djava.security.auth.login.config=/location/to/gss-jaas.conf
-Djava.security.krb5.conf=/location/to/krb5.conf
-Djavax.security.auth.useSubjectCredsOnly=false - Run the deploy-client script:
deploy-client.bat IA
If you setup multiple Assure Client configurations, then add
-c <config_name>
as the first parameter:deploy-client.bat -c kerberos IA
Assure server
No configuration changes are needed to the Assure server. The high-level instructions below are to create a sample layout and control to test the Assure Client configuration.
- Within the Assure web UI, create a database layout, specify the URL, driver class, SQL query and fields. A username and password do not need to be specified within the layout. Fields will need to be manually added in place of the Generate option.
The URL will look similar to:
jdbc:hive2://XXXXXXXXXXX:10000/default;principal=hive/XXXXXX@INFOGIX.COM
The driver class is:org.apache.hive.jdbc.HiveDriver
- Create an Assure control leveraging the layout above. The control setup is the same as a standard Assure control.
Control Execution
Control execution is performed via Assure client's runcp script. The runcp script's -local flag is a requirement for the local Kerberos configuration to be leveraged. Kerberos will add extra information logging to the command output, which will not impact control execution.
A sample command execution is below:
runcp.bat -local -entity KerberosHiveTestCE -point KerberosHiveTestCP
If you setup multiple Assure Client configurations, then add -c <config_name>
as the first parameter:
runcp.bat -c kerberos -local -entity KerberosHiveTestCE -point KerberosHiveTestCP
Comments
0 comments
Please sign in to leave a comment.