IBM Support

Connecting Hive/Impala with Kerberos Authentication on Linux Environments

How To


Summary

Using kerberos authentication to Hive/Impala HOWEVER they need to ensure that the user that is running a report has their
credentials passed down to the DB , TGT (Ticket Granting Ticket).

Objective

The user is defined and defined only once, and allows access to other users/projects that will be granted read access to the My_DATA_HUB tables per project. It is the user/pwd that will change only each time a new connection to the My_DATA_HUB kerberos databases is defined.

Steps

ACTION TO BE CARRIED OUT ON ALL DISPATCHERS
1- Make sure you are using the Unrestricted version of the JCE for Cognos. (https://www.ibm.com/support/knowledgecenter/SSEP7J_11.1.0/com.ibm.swg.ba.cognos.inst_cr_winux.doc/c_adv_config_change_jre_version.html)
/applis/cognos/dispatcher/ibm-jre/jre/lib/security/policy/unlimited
-rwxr-xr-x. 1 cscognosbi cscognosbi 2195 Mar 19 16:35 local_policy.jar
-rwxr-xr-x. 1 cscognosbi cscognosbi 2184 Mar 19 16:35 US_export_policy.jar
2- Created krb5.conf file, it must be placed in /etc as well as in directory <App>/jre/lib/security  (this one will be specific for your authentication source)
krb5.conf by default /etc/krb5.conf copy to  /applis/cognos/dispatcher/ibm-jre/jre/lib/security
**** For all dispatchers

3- Copy Impala driver
 https://www.cloudera.com/downloads/connectors/impala/jdbc/2-6-15.html on each dispatchers ../drivers/ImpalaJDBC42.jar
JDBC42 version 2.6.15.1017 because IBM-JRE_version=8.0.5.35 cf https://docs.cloudera.com/documentation/other/connectors/impala-jdbc/latest/Cloudera-JDBC-Driver-for-Impala-Install-Guide.pdf
- copy HIVE  driver  ../drivers/hive-jdbc-2.1.0.2.6.2.1-1-standalone.jar
4- Hive  DB connection use : ibmcognos.subcode=HIVE2;ibmcognos.authentication=java_krb5;
and "ibmcognos.authentication=java_krb5" in the DB connection, this indicates that a kerberos method is used :
^User ID:^?Password:;LOCAL;JDBC;URL=jdbc:hive2://xx.customer.xx:10000/DbName;principal=hive/xx.customer.xx@domain.com;hive.execution.engine=tez;DRIVER_NAME=org.apache.hive.jdbc.HiveDriver;ibmcognos.subcode=HIVE2;ibmcognos.authentication=java_krb5;
 IMPALA DB connection :
^User ID:^?Password:;LOCAL;JDBC;URL=jdbc:impala://xx.customer.xx:21000/DbName;AuthMech=1;KrbHostFQDN=xx.customer .xx;KrbRealm=domain.com;KrbServiceName=impala;DRIVER_NAME=com.cloudera.impala.jdbc4.Driver;ibmcognos.authentication=java_krb5 ;
 
Ps : Take attention to online documentation below,  "Related Information" part,  section "Using Kerberos authentication without single sign-on"

Additional Information

Creating a Kerberized connection to Apache Hive from Cognos Analytics 11.1.x from Red Hat Enterprise Linux.
**Disclaimer: these steps were tested and validated in Cognos Analytics 11.1.5 against Apache Hive 3.1.0.3.1.4.0-315 using Hive JDBC driver 2.1.0.2.6.2.1-1.
Steps to create connection :
1)    Generate an appropriate krb5.conf file; the documentation available at https://web.mit.edu/kerberos/krb5-1.12/doc/admin/conf_files/krb5_conf.html provides the information you should need in coordination with your LDAP admin. 
A simple example of a krb5.conf file :
[libdefaults]
         default_realm = ATHENA.MIT.EDU
         default_tkt_enctypes = des3-hmac-sha1 des-cbc-crc
         default_tgs_enctypes = des3-hmac-sha1 des-cbc-crc
         dns_lookup_kdc = false
         dns_lookup_realm = false
     
     [realms]
         ATHENA.MIT.EDU = {
             kdc = kerberos.mit.edu
             kdc = kerberos-1.mit.edu
             kdc = kerberos-2.mit.edu:750
             admin_server = kerberos.mit.edu
             master_kdc = kerberos.mit.edu
             default_domain = mit.edu
         }
         EXAMPLE.COM = {
             kdc = kerberos.example.com
             kdc = kerberos-1.example.com
             admin_server = kerberos.example.com
         }
     
     [domain_realm]
         .mit.edu = ATHENA.MIT.EDU
         mit.edu = ATHENA.MIT.EDU
     
     [capaths]
         ATHENA.MIT.EDU = {
             EXAMPLE.COM = .
         }
         EXAMPLE.COM = {
             ATHENA.MIT.EDU = .
         }
     
     [logging]
         kdc = SYSLOG:INFO
         admin_server = FILE=/var/kadm5.log

 

2)    Ensure that you have the krb5.conf file created in step 1 placed in ( 2 different cases):
  •   /etc/ directory  for external Java.
  •   <installation>/ibm-jre/jre/lib/security/ directory for Java from Cognos Analytics.

3)    Leveraging product documentation (https://www.ibm.com/support/knowledgecenter/en/SSEP7J_11.1.0/com.ibm.swg.ba.cognos.inst_cr_winux.doc/t_ig_verifyjdbccaps.html), ensure that the driver in question supports kerberized connections.  You should expect to see an output similar to this:
HIVE :
 image 8415
IMPALA :
image 8785

4)    Create the data source connection inside of Cognos Administration.
Use the following “Connection properties:” values for HIVE : ibmcognos.subcode=HIVE2;ibmcognos.authentication=java_krb5;
Use the following “Connection properties:” values for IMPALA :  ibmcognos.authentication=java_krb5;

5)    Test the data source connection.  As long as you are using the correct UserName and Password, you should get a result similar to this:
 image 8684
6)    Clicking on the “Succeeded” link will give you the relevant information from the connection (e.g. database version, driver version):
 HIVE
image 8438
IMPALA
image 8787

You can validate that you are passing a username and password by changing the password to a known incorrect password.  In such cases, you will get the following error message:
image 8436

Document Location

Worldwide

[{"Line of Business":{"code":"LOB10","label":"Data and AI"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSTSF6","label":"IBM Cognos Analytics"},"ARM Category":[{"code":"a8m50000000Cl6OAAS","label":"Installation and Configuration->Authentication"}],"ARM Case Number":"TS004003799","Platform":[{"code":"PF016","label":"Linux"}],"Version":"All Version(s)"}]

Document Information

Modified date:
17 March 2021

UID

ibm16415075

Page Feedback