Connect with Hive2 (0.12) which is kerberos aut...| JBoss.org Content Archive (Read Only)

1 2 3 4 Previous Next 47 Replies Latest reply on Nov 17, 2016 4:06 PM by debashishsaha004 Go to original post

15. Re: Connect with Hive2 (0.12) which is kerberos authenticated.

debashishsaha004 Nov 14, 2016 3:33 PM (in response to rareddy)

https://community.denodo.com/docs/view/document/Virtual%20DataPort/Denodo%205.5/Virtual%20DataPort%20Administration%20Guide
page no 313 .. using this I have setup my configuration.
May be this will give you a deeper and clear view.
Actions
16. Re: Connect with Hive2 (0.12) which is kerberos authenticated.

rareddy Nov 14, 2016 3:52 PM (in response to debashishsaha004)

Teiid Designer tool does not support the automatic kerberos login, so you would have to setup the ticket as described in your link with tableu link and create the keytab file, which is used in the server configuration, have you done that?
Actions
17. Re: Connect with Hive2 (0.12) which is kerberos authenticated.

debashishsaha004 Nov 14, 2016 3:57 PM (in response to rareddy)

I have MIT kerberos ticket client by which using server principal I can get a ticket like the tableau link I provided.yes I did the same.
I also have the keytab file associated with that principal
Actions
18. Re: Connect with Hive2 (0.12) which is kerberos authenticated.

rareddy Nov 14, 2016 4:16 PM (in response to debashishsaha004)

Looking back at your configuration you need to use "host" as security domain on your data source, not MYCOMPANY.COM.
Actions
19. Re: Connect with Hive2 (0.12) which is kerberos authenticated.

debashishsaha004 Nov 14, 2016 4:29 PM (in response to rareddy)

<security-domain name="abc" cache-type="default">
                    <authentication>
                        <login-module code="Kerberos" flag="required">
                            <module-option name="storeKey" value="true"/>
                            <module-option name="useKeyTab" value="true"/>
                            <module-option name="principal" value="host/a3000053@MYCOMPANY.COM"/>
                            <module-option name="keyTab" value="...path to /a3000053.keytab"/>
                            <module-option name="doNotPrompt" value="true"/>
                            <module-option name="debug" value="false"/>
                        </login-module>
                    </authentication>
                </security-domain>

Only this security module ???
Actions
20. Re: Connect with Hive2 (0.12) which is kerberos authenticated.

debashishsaha004 Nov 14, 2016 4:35 PM (in response to rareddy)
Here is the server log

Server Log.txt.zip 1.3 KB
Actions
21. Re: Connect with Hive2 (0.12) which is kerberos authenticated.

debashishsaha004 Nov 14, 2016 4:40 PM (in response to rareddy)

https://access.redhat.com/documentation/en/red-hat-jboss-data-virtualization/6.3/single/security-guide/#chap-Data_Source_Security
rareddy shawkins can you guys please have a look at this url.Should we consider this document for solving this problem statement.
Actions
22. Re: Connect with Hive2 (0.12) which is kerberos authenticated.

rareddy Nov 14, 2016 4:40 PM (in response to debashishsaha004)

Use "abc" as security domain in your data source configuration. If you want attach standalone-teiid.xml file for me take look at.
Actions
23. Re: Connect with Hive2 (0.12) which is kerberos authenticated.

debashishsaha004 Nov 14, 2016 4:42 PM (in response to rareddy)

yes .. here I am writing abc .but actually in standalone.xml I have host as name for the security domain.
So I used host
Actions
24. Re: Connect with Hive2 (0.12) which is kerberos authenticated.

rareddy Nov 14, 2016 4:46 PM (in response to debashishsaha004)

Set "debug" module option to true and post the debug log.
Actions
25. Re: Connect with Hive2 (0.12) which is kerberos authenticated.

debashishsaha004 Nov 14, 2016 4:48 PM (in response to rareddy)
Actions
26. Re: Connect with Hive2 (0.12) which is kerberos authenticated.

debashishsaha004 Nov 14, 2016 4:51 PM (in response to rareddy)

same log .. actually I modified debug =true as hawkins adviced me before.but result is exactly like the attached with my previous reply
Actions
27. Re: Connect with Hive2 (0.12) which is kerberos authenticated.

rareddy Nov 14, 2016 5:01 PM (in response to debashishsaha004)

That does not sound right, typically there is lot more verbose log. Do you have properties like

    <system-properties>
        <property name="java.security.krb5.conf" value="/etc/krb5.conf"/>
        <property name="java.security.krb5.debug" value="true"/>
        <property name="javax.security.auth.useSubjectCredsOnly" value="false"/>
    </system-properties>

in your standalone-teiid.xml file right after <extensions> element? krb5.conf point to your KDC settings.
Actions
28. Re: Connect with Hive2 (0.12) which is kerberos authenticated.

debashishsaha004 Nov 14, 2016 5:05 PM (in response to rareddy)

I dont have this type of setting .
Should I add system properties ..can you please give a bit more detail what are the parameters do I need to add
Actions
29. Re: Connect with Hive2 (0.12) which is kerberos authenticated.

rareddy Nov 14, 2016 5:11 PM (in response to debashishsaha004)

See Kerberos support through GSSAPI · Teiid Documentation "Required System Properties on Server" section. Also an example krb5.conf file at How to implement Kerberos authentication with Teiid over JDBC
Actions

1 2 3 4 Previous Next

Go to original post