keytab

I am trying to get kerberos keytab authentication work from java to Hive and not finding solution to fix the issue. org.apache.hadoop.conf.Configuration conf = new org.apache.hadoop.conf.Configuration(); conf.set("hadoop.security.authentication", "kerberos"); conf.set(HiveClientFactory.HIVE_METASTORE_URIS,"thrift://{URL}"); UserGroupInformation.setConfiguration(conf); UserGroupInformation.loginUserFromKeytab(krbPrincipal, keyTabPath); java.io.IOException: Login failure for {krbPrincipal} from keytab {keyTabPath} at org.apache.hadoop.security.UserGroupInformation.loginUserFromKeytab

i have some questions on using keytab for Authentication hope the kind people here can enlightend me Say, i have userA who is going to use a service running at port 1010. First, userA will login to Active Directory to authenticate himself. After login, userA will try to connect to the server to use its service 1010. In order for the server to verify that UserA is who he is, I need to use setspn to register SPN at the Active Directory. eg setspn -s service1010/mydomain.com serviceaccount1 Then need to generate ktab file at Active directory, eg ktab -a serviceprincal1010/server.domain.com@DOMAIN

Is it possible to connect to Hive via beeline using (kerberos) keytab file similar to the approach used for JDBC at https://cwiki.apache.org/confluence/display/Hive/HiveServer2+Clients#HiveServer2Clients-UsingKerberoswithaPre-AuthenticatedSubject PS : beeline does support connecting on a kerberos secured hive server with username and password. But I am looking for a way to connect it with a keytab file. http://doc.mapr.com/display/MapR40x/Configuring+Hive+on+a+Secure+Cluster#ConfiguringHiveonaSecureCluster-UsingBeelinewithKerberos I think you cannot connect with keytab file into beeline but

I want to make a script that will generate the a keytab using ktutil. When running the script I want to use [user]$ script.sh PASSWORD #script.sh echo "addent -password -p PRINCIPAL -k 1 -e aes256-cts-hmac-sha1-96" | ktutil Ktutil than needs a password, here I want to use the PASSWORD argument from above. How would I pass the password arguement? With GNU bash: user="PRINCIPAL" pass="topsecret" printf "%b" "addent -password -p $user -k 1 -e aes256-cts-hmac-sha1-96\n$pass\nwrite_kt $user.keytab" | ktutil printf "%b" "read_kt $user.keytab\nlist" | ktutil Output: slot KVNO Principal ---- ---- ----

I'm trying to connect to my HDFS instance running on Cloudera. My first step was enabling Kerberos and creating Keytabs (as shown here ). In the next step i would like to authenticate with a keytab. Configuration conf = new Configuration(); conf.set("fs.defaultFS", "hdfs://cloudera:8020"); conf.set("hadoop.security.authentication", "kerberos"); UserGroupInformation.setConfiguration(conf); UserGroupInformation.loginUserFromKeytab("hdfs@CLOUDERA", "/etc/hadoop/conf/hdfs.keytab"); FileSystem fs = FileSystem.get(conf); FileStatus[] fsStatus = fs.listStatus(new Path("/")); for (int i = 0; i <

The documentation describing how to connect to a kerberos secured endpoint shows the following: curl -i --negotiate -u : "http://<HOST>:<PORT>/webhdfs/v1/<PATH>?op=..." The -u flag has to be provided but is ignored by curl. Does the --negotiate option cause curl to look for a keytab that was created beforehand with the kinit command, or will curl prompt for credentials? If it looks for a keytab file, what filename will the command be looking for? Being a once-in-a-while-contributor to curl in that area. Here is what you need to know: curl(1) itself knows nothing about Kerberos and will not