How to configure secure (Kerberized) hive with 'Centrify'

Document created by wade on Jan 20, 2016Last modified by maprcommunity on Feb 3, 2016
Version 4Show Document
  • View in full screen mode

Summary:

How to configure Kerberized Hive where the machine is configured to use AD via Centrify

 

KA Author:

Najmuddin Chirammal

 

Details:

 

Issue

The steps to configure hiveserver2 and hivemeta to use kerberos, the KDC is active directory and the client side is configured using Centrify tool.

Environment

- Secure MapR Cluster
- MapR nodes are configured to use Active Directory using 'Centrify'
- Hive 13 (or above)

Resolution

By default, Active Directory categorizes the principals as either UPN (User Principal Name) or SPN (Service Principal Name). That means, a UPN can be used to authenticate against AD and get TGT (Ticket Granting Ticket) which can be used to connect to any Kerberized Services. And SPNs can be used only to verify the Service Tickets provided by a client.

For both hiveserver2 and hivemeta services, the principal (and the related keytab) should work to get a initial ticket (TGT) as well as to verify the client connections. Following are the steps required to enable Kerberos on Hive (HS2 & Meta).

The article assumes, both HS2 & Meta services shares the same principal & keytab, If different principals/keytabs required, perform the same steps to genrate both and update hive-site.xml file with respective principal name, keytab location etc.

  • To create a UPN in Active Directory and associate an SPN (same name as UPN), use below commands.

 

# adkeytab --new -c ou=linux --upn  "mapr/rh-6.example.com@EXAMPLE.COM" -K /opt/mapr/conf/mapr.keytab mapr # adkeytab -a -P "mapr/rh-6.example.com@EXAMPLE.COM" mapr

Notes:

  • --password-never-expire option can be used to ignore AD's automatic password changes.
  • adkeytab is a tool provided by 'Centrify'

In order to verify the keytab works as per the requirements mentioned above, follow below steps.

  • Try to get a TGT using the keytab.

 

# kinit -kt <keytab> mapr/rh-6.example.com  # klist

kinit command should succeed(complete with no errors) & klist should display the ticket obtained from AD.

  • Verify the principal can be used as Service Principal.

 

# kvno mapr/rh-6.example.com@EXAMPLE.COM

On Success, kvno command returns the Key version number, in case of any errors, revisit the above steps, contact AD administrator for further assistance.

 

On successful creation the account on AD would look like,

# ldapsearch -x -H ldap://win8.example.com -D administrator@example.com -w XXXX -b dc=example,dc=com -LLL cn=mapr  dn: CN=mapr,OU=linux,DC=example,DC=com objectClass: top objectClass: person objectClass: organizationalPerson objectClass: user cn: mapr distinguishedName: CN=mapr,OU=linux,DC=example,DC=com .....<removed un-necessary entries> name: mapr sAMAccountName: mapr sAMAccountType: 805306368userPrincipalName: mapr/rh-6.example.com@EXAMPLE.COMservicePrincipalName: mapr/rh-6.example.com  // It should list both userPrincipalName & servicePrincipalName

 

  • Make sure the keytab has proper permissions

 

# chown mapr.mapr /opt/mapr/conf/mapr.keytab

 

  • Edit core-site.xml, add/modify the proxy user settings so the impersonation work properly.

 

<property>   <name>hadoop.proxyuser.mapr.hosts</name>    <value>*</value> </property> <property>  <name>hadoop.proxyuser.mapr.groups</name>  <value>*</value> </property>


If a non-mapr user entry(Primary part in the principal) is used, touch a file with same name under /opt/mapr/conf/proxy directory.

# touch /opt/mapr/conf/proxy/hs2 && chown mapr.mapr /opt/mapr/conf/proxy/hs2

 

  • Edit hive-site.xml file and add the kerberos specific options for hiveserver2 and hivemeta.

 

<property>             <name>hive.metastore.sasl.enabled</name>             <value>true</value>     </property>      <property>             <name>hive.metastore.kerberos.keytab.file</name>             <value>/opt/mapr/conf/hive.keytab</value>     </property>      <property>             <name>hive.metastore.kerberos.principal</name>             <value>mapr/rh-6.example.com@EXAMPLE.COM</value>     </property>                      < property>    <name>hive.server2.authentication</name>     <value>KERBEROS</value> </property>     <property>    <name>hive.server2.authentication.kerberos.principal</name>     <value>mapr/rh-6.example.com@EXAMPLE.COM</value> </property>   <property>     <name>hive.server2.authentication.kerberos.keytab</name>     <value>/opt/mapr/conf/hive.keytab</value> </property>

 

  • Restart warden on the node.
  • Connect using beeline:

 

# klist // make sure the user has valid credentials  # beeline>  !connect jdbc:hive2://rh-6.example.com:10000/default;principal=mapr/rh-6.example.com@EXAMPLE.COM scan complete in 4ms Connecting to jdbc:hive2://rh-6.example.com:10000/default;principal=mapr/rh-6.example.com@EXAMPLE.COM Enter username for jdbc:hive2://rh-6.example.com:10000/default;principal=mapr/rh-6.example.com@EXAMPLE.COM:  Enter password for jdbc:hive2://rh-6.example.com:10000/default;principal=mapr/rh-6.example.com@EXAMPLE.COM:

Notes: Skip the prompts (Just press enter) when prompted for username/password.

Attachments

    Outcomes