-
1. Re: Hi All, can anyone shed some light on how to connect to hadoop using kerberos authentication?
jdurani Dec 7, 2015 3:12 AM (in response to allenyu6)Hi Allen,
it depends whether you want to connect to hadoop using static credentials or pass-through authentication (I expect you have already secured your hadoop instance). You can find more details here - Kerberos support through GSSAPI - Teiid 8.12 - Project Documentation Editor.
1. Static credentials - create new security domain and set it up as security domain for your DS
<security-domain name="host" cache-type="default">
<authentication>
<login-module code="Kerberos" flag="required" module="org.jboss.security.negotiation">
<module-option name="storeKey" value="true"/>
<module-option name="useKeyTab" value="true"/>
<module-option name="keyTab" value="/path/to/DV_server.keytab"/>
<module-option name="principal" value="DATAVIRT/my.host.address@MY.REALM.COM"/>
<module-option name="doNotPrompt" value="true"/>
<module-option name="useTicketCache" value="true"/>
<module-option name="debug" value="true"/>
<module-option name="refreshKrb5Config" value="false"/>
<module-option name="addGSSCredential" value="true"/>
<module-option name="delegationCredential" value="USE"/>
<module-option name="isInitiator" value="true"/>
</login-module>
</authentication>
</security-domain>
<datasource jndi-name="java:/hadoop" pool-name="hadoop" enabled="true">
<connection-url>jdbc_url</connection-url>
<driver>hadoop</driver>
<security>
<security-domain>host</security-domain>
</security>
</datasource>
2. Pass-through security.
In this case you have to secure your VDB (or JDBC/ODBC transport) as well (see the documentation).
<security-domain name="host" cache-type="default">
<authentication>
<login-module code="Kerberos" flag="required" module="org.jboss.security.negotiation">
<module-option name="storeKey" value="true"/>
<module-option name="useKeyTab" value="true"/>
<module-option name="keyTab" value="/path/to/DV_server.keytab"/>
<module-option name="principal" value="DATAVIRT/my.host.address@MY.REALM.COM"/>
<module-option name="doNotPrompt" value="true"/>
<module-option name="useTicketCache" value="true"/>
<module-option name="debug" value="true"/>
<module-option name="refreshKrb5Config" value="false"/>
<module-option name="addGSSCredential" value="true"/>
<module-option name="delegationCredential" value="USE"/>
<module-option name="isInitiator" value="true"/>
</login-module>
</authentication>
</security-domain>
<security-domain name="MY.REALM.COM" cache-type="default">
<authentication>
<login-module code="SPNEGO" flag="required" module="org.jboss.security.negotiation">
<module-option name="password-stacking" value="useFirstPass"/>
<module-option name="useKeyTab" value="true"/>
</login-module>
<mapping>
<mapping-module code="SimpleRoles" type="roles">
<module-option name="user@MY.REALM.COM" value="user"/>
</mapping-module>
</mapping>
</authentication>
</security-domain>
<security-domain name="pass-through" cache-type="default">
<authentication>
<login-module code="org.teiid.jboss.PassthroughIdentityLoginModule" flag="required" module="org.jboss.teiid">
<module-option name="userName" value="guest"/>
<module-option name="password" value="guest"/>
</login-module>
</authentication>
</security-domain>
<datasource jndi-name="java:/hadoop" pool-name="hadoop" enabled="true">
<connection-url>jdbc_url</connection-url>
<driver>hadoop</driver>
<security>
<security-domain>pass-through</security-domain>
</security>
</datasource>
Juraj