Skip to end of banner
Go to start of banner

How to Configure a Non-Hadooplex Groundplex for CDH Hive with Kerberos Authentication

Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 2 Next »

Step-by-step guide

To set up Kerberos on Groundplex nodes:

  1. Before doing the following setups, make sure the Groundplex is working fine.

  2. Install Kerberos packages on Groundplex nodes.

    $ sudo yum install krb5-workstation krb5-libs krb5-auth-dialog

  3. Copy the file /etc/krb5.conf from one of the target cluster nodes to /etc/krb5.conf on each Groundplex node. 

  4. Install the JCE extension on each Groundplex node.
    1. Download the JCE extension zip file: http://www.oracle.com/technetwork/java/javase/downloads/jce8-download-2133166.html

    2. Copy the JCE extension zip file onto each Groundplex node and install the JCE extension with the following command. Restart the node after the installation.

      $ unzip -o -j -q jce_policy-8.zip -d /opt/snaplogic/pkgs/jre1.8.0_45/lib/security/

    3. To check if the JCE extension was correctly installed, run the command below and you should see the same output shown as below:

      $ zipgrep CryptoAllPermission /opt/snaplogic/pkgs/jre1.8.0_45/lib/security/local_policy.jar default_local.policy: permission javax.crypto.CryptoAllPermission;

  5. Generate the keytab file for the Kerberos user, put it on each Groundplex node, and give snapuser access to the keytab file.

    $ sudo cp /path/to/keytab/file /home/snapuser/<keytab_file_name>
$ sudo chown snapuser:snapuser /home/snapuser/<keytab_file_name>
$ sudo chmod 400 /home/snapuser/<keytab_file_name>

How to Test Kerberos Configurations on Groundplex Nodes

The following commands can be used to test Kerberos configurations on the Groundplex nodes:

$ kinit -k -t /path/to/keytab/file <principal_name>
$ klist

For example, with a keytab file of principal snaplogic/node1.snaplogic.dev.com@SNAPLOGIC.DEV.COM, you should be able to initialize the ticket cache and see outputs like this:

$ kinit -k -t /home/snapuser/snaplogic.keytab snaplogic/node1.snaplogic.dev.com@SNAPLOGIC.DEV.COM
$ klist
Ticket cache: FILE:/tmp/krb5cc_5112
Default principal: snaplogic/node1.snaplogic.dev.com@SNAPLOGIC.DEV.COM

Valid starting       Expires              Service principal
03/27/2017 18:39:59  03/28/2017 18:39:59  krbtgt/node1.snaplogic.dev.com@SNAPLOGIC.DEV.COM
	renew until 04/03/2017 18:39:59


Common Issues

How to Create a New User for Hive with Kerberos

  1. Create a linux user on each CDH cluster node.

  2. Create home directory on CDH cluster's HDFS for the new user.

  3. Create a Kerberos principal for the new user.

Snap fails with error: [Cloudera][HiveJDBCDriver](500051) ERROR processing query/statement. Error Code: ERROR_STATE, SQL state: Error while processing statement: FAILED: Execution Error, return code 1 from org.apache.hadoop.hive.ql.exec.mr.MapRedTask, Query: ......

In the Snap's account setting:

  1. If the authentication type is Kerberos, make sure the all the steps in question 1 have been done correctly.

  2. If the authentication type is User ID or User ID and Password, make sure step a and b in question 1 have been done correctly.

  3. If the Authentication type is None, a home directory for anonymous user should be created on HDFS:

Snap failed with error: Unable to authenticate the client to the KDC using the provided credentials.

This error indicates that the Kerberos is not configured properly on the Groundplex nodes. See section Configure Kerberos on groundplex nodes.

Snap failed with error: Keytab file does not exist or is not readable.

As the error message says, the keytab file is either missing or snapuser doesn't have the access to the keytab file. See step 5 in Step-by-step Guide.

  • No labels

Have feedback? Email documentation@snaplogic.com | Ask a question in the SnapLogic Community
© 2017-2024 SnapLogic, Inc.