THIS IS A TEST INSTANCE. ALL YOUR CHANGES WILL BE LOST!!!!
...
jdbc:hive://hostname/dbname;sasl.qop=auth-int
For more information, see Setting Up HiveServer2.
Multi-User Scenarios and Programmatic Login to Kerberos KDC
In the current approach of using Kerberos you need to have a valid Kerberos ticket in the ticket cache before connecting. This entails a static login (using kinit, key tab or ticketcache) and the restriction of one Kerberos user per client. These restrictions limit the usage in middleware systems and other multi-user scenarios, and in scenarios where the client wants to login programmatically to Kerberos KDC.
One way to mitigate the problem of multi-user scenarios is with secure proxy users (see HIVE-5155). Starting in Hive 0.13.0, support for secure proxy users has two components:
- Delegation token based connection for Oozie (OOZIE-1457). This is the common mechanism for Hadoop ecosystem components.
- Direct proxy access for privileged Hadoop users (HIVE-5155). This enables a privileged user to directly specify an alternate session user during the connection. If the connecting user has Hadoop level privilege to impersonate the requested userid, then HiveServer2 will run the session as that requested user.
The other way is to use a pre-authenticated Kerberos Subject (see HIVE-6486). In this method, starting with Hive 0.13.0 the Hive JDBC client can use a pre-authenticated subject to authenticate to HiveServer2. This enables a middleware system to run queries as the user running the client.
Using Kerberos with a Pre-Authenticated Subject
To use a pre-authenticated subject you will need the following changes.
- Add hive-exec*.jar to the classpath in addition to the regular Hive JDBC jars (commons-configuration-1.6.jar and hadoop-core*.jar are not required).
- Add auth=kerberos and kerberosAuthType=fromSubject JDBC URL properties in addition to having the “principal" url property.
- Open the connection in Subject.doAs().
The following code snippet illustrates the usage (refer to HIVE-6486 for a complete test case):
| Code Block | ||
|---|---|---|
| ||
static Connection getConnection( Subject signedOnUserSubject ) throws Exception{
Connection conn = (Connection) Subject.doAs(signedOnUserSubject, new PrivilegedExceptionAction<Object>()
{
public Object run()
{
Connection con = null;
String JDBC_DB_URL = "jdbc:hive2://HiveHost:10000/default;principal=hive/localhost.localdomain@EXAMPLE.COM;auth=kerberos;kerberosAuthType=fromSubject";
try {
Class.forName(JDBC_DRIVER);
con = DriverManager.getConnection(JDBC_DB_URL);
} catch (SQLException e) {
e.printStackTrace();
} catch (ClassNotFoundException e) {
e.printStackTrace();
}
return con;
}
});
return conn; |
Python Client
A Python client driver is available on github. For installation instructions, see Setting Up HiveServer2: Python Client Driver.
Integration with SQuirrel SQL Client
- Download, install and start the SQuirrel SQL Client from the SQuirrel SQL website.
- Select 'Drivers -> New Driver...' to register Hive's JDBC driver that works with HiveServer2.
Enter the driver name and example URL:
Code Block language text Name: Hive Example URL: jdbc:hive2://localhost:10000/default
Select 'Extra Class Path -> Add' to add the following jars from your local Hive and Hadoop distribution.
Code Block HIVE_HOME/build/dist/lib/*.jar HADOOP_HOME/hadoop-*-core.jar
Select 'List Drivers'. This will cause SQuirrel to parse your jars for JDBC drivers and might take a few seconds. From the 'Class Name' input box select the Hive driver for working with HiveServer2:
Code Block org.apache.hive.jdbc.HiveDriver
Click 'OK' to complete the driver registration.
- Select 'Aliases -> Add Alias...' to create a connection alias to your HiveServer2 instance.
- Give the connection alias a name in the 'Name' input box.
- Select the Hive driver from the 'Driver' drop-down.
- Modify the example URL as needed to point to your HiveServer2 instance.
- Enter 'User Name' and 'Password' and click 'OK' to save the connection alias.
- To connect to HiveServer2, double-click the Hive alias and click 'Connect'.
...