Error when connect to impala with JDBC under kerberos authrication

问题

I create a class SecureImpalaDataSource that extends DriverManagerDataSource, and use UserGroupInformation.doAs() to get a Connection to impala with keytab file. But I get the error as follow:

java.sql.SQLException: [Simba]ImpalaJDBCDriver Error initialized or created transport for authentication: [Simba]ImpalaJDBCDriver Unable to connect to server: null.

But I am successful when I get the connection with kerberos ticket cache in a test demo. Anyone can help me?

回答1:

Forget about the Hadoop UGI: a JDBC driver just needs the raw JAAS configuration to create a Kerberos ticket on-the-fly (with useKeyTab raised and useTicketCache lowered).

System properties

• java.security.krb5.conf => (optional) non-defaut Kerberos conf
• java.security.auth.login.config => JAAS config file
• javax.security.auth.useSubjectCredsOnly => must be forced to "false" (the default has changed in some Java release, duh)

Sample JAAS conf file, Impala/Hive Cloudera drivers
Here with a Windows path in Java-style notation.

Client {
  com.sun.security.auth.module.Krb5LoginModule
    required
  useTicketCache=false
  doNotPrompt=true
  useKeyTab=true
  keyTab="file:C:/blah/blah/dummy.keytab"
  principal="dummy@SOME.REALM"
  debug=false;
};

Sample JAAS conf file, Apache Hive driver
Just change section name from Client to com.sun.security.jgss.krb5.initiate
PS: you can stuff multiple sections in the same conf file; this means that you can define a "global" conf and use it with multiple tools & drivers & libs, with consistent settings.

Debugging

• sun.security.krb5.debug => set to "true"
• java.security.debug=> set to "gssloginconfig,configfile,configparser,logincontext"

回答2:

The result is that the HOST and the FQDN in my URL are inconsistent.

回答3:

One way to authentication your jdbc connection is using ugi.doAs. Here is the sample code:

// 1. login use keytab
System.setProperty("java.security.krb5.realm", "XXX.COM");
System.setProperty("java.security.krb5.kdc", "kdcXXX");
Configuration conf = new Configuration();
conf.set("hadoop.security.authentication", "Kerberos");
UserGroupInformation.setConfiguration(conf);
UserGroupInformation ugi = UserGroupInformation.loginUserFromKeytabAndReturnUGI("test", "test.keytab");

// 2. create impala jdbc connection
Class.forName(JDBCDriverName);
conn = (Connection) ugi.doAs(new PrivilegedExceptionAction<Object>() {
  public Object run() {
    Connection tcon = null;
    try {
      tcon = DriverManager.getConnection(connectionUrl);
    } catch (SQLException e) {
      e.printStackTrace();
    }
    return tcon;
  }
});

// 3. execute query using conn
......

来源：https://stackoverflow.com/questions/42477466/error-when-connect-to-impala-with-jdbc-under-kerberos-authrication