search

lenchv / hive-driver

Driver for connection to Apache Hive via Thrift API
MIT License
40 stars 9 forks source link

i want connect hive with kerberos #65

Closed PetiteBoy closed 6 months ago

PetiteBoy commented 6 months ago

hello when i connect hive with kerberos, i meet some issues. this is my code 

curClient = await this.client.connect(
            {
              host: data.host,
              port: data.port,
            },
            new hive.connections.TcpConnection(),
            new hive.auth.KerberosTcpAuthentication(
              {
                username: data.username,
                password: data.password,
              },
              new hive.auth.helpers.MongoKerberosAuthProcess(
                {
                  fqdn: '',
                  service: '',
                },
                kerberos,
              ),
            ),
          );

now i do know fqdn and service i should code some kerberos. i imported,

help me ~~

lenchv commented 6 months ago

Hi @PetiteBoy ! What the error did you get? Or what kind of issues do you face? What is the OS on which you run the code?

You should know fqdn and service. Service is often "hive".

If you run on *nix OS you should auth using kinit first: kinit ....

Also pay attention that Mongo Kerberos supports only "auth" QoP: https://docs.progress.com/bundle/datadirect-apache-impala-jdbc-60/page/Kerberos-SASL-QOP.html

<property>
    <name>hive.server2.thrift.sasl.qop</name>
    <value>auth</value>
</property>

You can debug this file: https://github.com/lenchv/hive-driver/blob/master/lib/connection/auth/helpers/MongoKerberosAuthProcess.ts

and check what QoP is returned from the server.

And also you can debug this file and find out on what step authorization fails.

lenchv commented 6 months ago

in fact, the authorization is done in low-coupled method and it is replaceable by any implementation. In case of Kerberos I would advise first to check that you can obtain a ticket by any of the libraries whether this is https://www.npmjs.com/package/kerberos, or https://www.npmjs.com/package/krb5 , or any others.

When you're sure that auth is done well just with auth server without Hive, then try to connect it to Hive. You can easily write your own auth implementation inspiring by https://github.com/lenchv/hive-driver/blob/master/lib/connection/auth/helpers/MongoKerberosAuthProcess.ts and using library that works.

When debugging the Kerberos connection, you should work closely with Hive logs, because often the error appears there. Also make sure that you can connect to Hive with Kerberos using "beeline".

lenchv commented 6 months ago

And one more advice, have a look at the e2e tests:

(upKrb function) https://github.com/lenchv/hive-driver/blob/master/tests/e2e/utils/instanceHelper.js#L77 https://github.com/lenchv/hive-driver/blob/master/.docker/Makefile#L14

First we run "up-krb" that creates user, replaces hostname (fqdn), and then run kinit. Only after this we perform a connection via library. Hope it helps.

PetiteBoy commented 6 months ago

thanks i receive your answers,i will try with your advice。when i meet other question i ask you,thanks again