Skip to content

Hadoop Cloudera Kerberos Documentation

Jump to bottom
Sandeep Dolia edited this page Apr 5, 2016 · 12 revisions

Kerberos Authorization Basic Overview

Kerberos Authorization Sequence Diagram

Kerberos Authorization Flow

Data Retrival Stragegy

How to add a user:

  1. create a user in unix: adduser
  2. Once the user is added login to kadmin:

kinit hivetest/admin enter password : P@ssw0rd!

  1. Login to the kadmin console using the "kadmin" command.
  2. addprinc abcuser/tableau Provide password twice.

User is created to be accessed via tableau.

Create a Kerberos ticket :

  • Install Kerberos ticket for windows from the following link below : http://web.mit.edu/kerberos/dist/

  • Once the installation is successful navigate to the following location via File explorer. C:\ProgramData\MIT\Kerberos5 You would see a config file create a config file krb5.ini (cut and paste an existing krb5 file somewhere else)

  • Copy and past the following text into the krb5.ini file.

[libdefaults] default_realm = US-WEST-2.COMPUTE.INTERNAL dns_lookup_kdc = true dns_lookup_realm = true ticket_lifetime = 86400 renew_lifetime = 604800 forwardable = true default_tgs_enctypes = rc4-hmac des3-hmac-sha1 default_tkt_enctypes = rc4-hmac des3-hmac-sha1 permitted_enctypes = rc4-hmac des3-hmac-sha1 udp_preference_limit = 1 default_realm = US-WEST-2.COMPUTE.INTERNAL [realms] US-WEST-2.COMPUTE.INTERNAL = { kdc = ec2-52-34-38-188.us-west-2.compute.amazonaws.com admin_server = ec2-52-34-38-188.us-west-2.compute.amazonaws.com US-WEST-2.COMPUTE.INTERNAL = { kdc = ec2-52-34-38-188.us-west-2.compute.amazonaws.com admin_server = ec2-52-34-38-188.us-west-2.compute.amazonaws.com } }

  • Login to Kerberos ticket client: Username : abcuser/tableau@US-WEST-2.COMPUTE.INTERNAL Password : P@ssw0rd! Get the ticket. Once this process is successful you can now open tableau and provide the following details select "Cloudera Hadoop" as the datasource.
  • Environment Variable changes: Go to your environment variables ==> under System Variables , create a variable name. Variable Name : KRB5CCNAME Variable Value : C:\temp\krb5cache (make sure you have c:\temp folder)

How to login to Tableau :

Server : ec2-52-34-38-188.us-west-2.compute.amazonaws.com Type : HiveServer2 Authentication : kerberos Realm : US-WEST-2.COMPUTE.INTERNAL Host FQDN : ip-172-31-10-65.us-west-2.compute.internal Service name : hive

Some important commands with in the beeline console:

  • show databases;
  • show roles;
  • show role grant group hivetest; (Shows roles assigned to this group)
  • grant all on database test1 to role hivetest_role; (Grants a role access to a database)
  • grant role cta_role to group eric;
  • show grant role hivetest_role;

Run this command if the ticket is expired:

kinit -v -t /var/run/cloudera-scm-agent/process/98-hive-HIVESERVER2/hive.keytab hive/ip-172-31-10-65.us-west-2.compute.internal@US-WEST-2.COMPUTE.INTERNAL connect to beeline: beeline -u "jdbc:hive2://ip-172-31-10-65.us-west-2.compute.internal:10000/;principal=hive/ip-172-31-10-65.us-west-2.compute.internal@US-WEST-2.COMPUTE.INTERNAL"

Note:

http://kb.tableau.com/articles/knowledgebase/connecting-to-hive-server-2-in-secure-mode#connect

Clone this wiki locally