I am trying to connect to a hive metastore that has been configured to use Kerberos for authentication. This works for me when I am not trying to use a keytab file, i.e. when the program prompts me for my password during the authentication process. When I change the configuration to use a keytab I get a long stacktrace containing among other things this statement:
Additional pre-authentication required (25) - Need to use PA-ENC-TIMESTAMP/PA-PK-AS-REQ
Can anyone give any advice on what I am doing wrong?
The context of my problem, if that is relevant, is that I want to access the hive metastore from a mapreduce job, and of course, a mapreduce job cannot answer to prompts.
My program looks like this:
package com.test;
import java.sql.Connection;
import java.sql.DriverManager;
import java.sql.ResultSet;
import java.sql.Statement;
public class HiveJDBC {
public static void main(String[] args) throws Exception {
Class.forName("org.apache.hive.jdbc.HiveDriver");
System.setProperty("java.security.auth.login.config","gss-jaas.conf");
System.setProperty("sun.security.jgss.debug","true");
System.setProperty("javax.security.auth.useSubjectCredsOnly","false");
System.setProperty("java.security.krb5.conf","krb5.conf");
Connection con = DriverManager.getConnection("jdbc:hive2://some.machine:10000/default;principal=hive/some.machine@MY_REALM");
// Do stuff with the connection
}
}
My gss-jaas.conf file looks like this:
com.sun.security.jgss.initiate {
com.sun.security.auth.module.Krb5LoginModule required
useKeyTab=true
useTicketCache=false
principal="my-account@MY_REALM"
doNotPrompt=true
keyTab="path-to-my-keytab-file"
debug=true;
};
My krb5.conf file looks like this
[libdefaults]
default_realm = MY_REALM
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
renew_lifetime = 7d
[realms]
MY_REALM = {
kdc = some.host:88
admin_server = another.host
}
My keytab file I have generated with the ktutil program using the following command
ktutil: addent -password -p username@MY_REALM -k 1 -e aes256-cts
