authentication - Error when connect to impala with JDBC under kerberos authrication

Question

I create a class SecureImpalaDataSource that extends DriverManagerDataSource, and use UserGroupInformation.doAs() to get a Connection to impala with keytab file. But I get the error as follow:

java.sql.SQLException: [Simba]ImpalaJDBCDriver Error initialized or created transport for authentication: [Simba]ImpalaJDBCDriver Unable to connect to server: null.

But I am successful when I get the connection with kerberos ticket cache in a test demo. Anyone can help me?

Answer 1

Forget about the Hadoop UGI: a JDBC driver just needs the raw JAAS configuration to create a Kerberos ticket on-the-fly (with useKeyTab raised and useTicketCache lowered).

System properties

• java.security.krb5.conf => (optional) non-defaut Kerberos conf
• java.security.auth.login.config => JAAS config file
• javax.security.auth.useSubjectCredsOnly => must be forced to "false" (the default has changed in some Java release, duh)

Sample JAAS conf file, Impala/Hive Cloudera drivers
Here with a Windows path in Java-style notation.

Client {
  com.sun.security.auth.module.Krb5LoginModule
    required
  useTicketCache=false
  doNotPrompt=true
  useKeyTab=true
  keyTab="file:C:/blah/blah/dummy.keytab"
  principal="[email protected]"
  debug=false;
};

Sample JAAS conf file, Apache Hive driver
Just change section name from Client to com.sun.security.jgss.krb5.initiate
PS: you can stuff multiple sections in the same conf file; this means that you can define a "global" conf and use it with multiple tools & drivers & libs, with consistent settings.

Debugging

• sun.security.krb5.debug => set to "true"
• java.security.debug=> set to "gssloginconfig,configfile,configparser,logincontext"