1 Reply Latest reply on Dec 7, 2015 3:12 AM by jdurani

    Hi All, can anyone shed some light on how to connect to hadoop using kerberos authentication?

    allenyu6

      Trying to connect to hadoop using Kerberos authentication and find it very difficult, can someone shed some light on it?

       

      Thanks,

       

      Allen

        • 1. Re: Hi All, can anyone shed some light on how to connect to hadoop using kerberos authentication?
          jdurani

          Hi Allen,

           

          it depends whether you want to connect to hadoop using static credentials or pass-through authentication (I expect you have already secured your hadoop instance). You can find more details here - Kerberos support through GSSAPI - Teiid 8.12 - Project Documentation Editor.

           

          1. Static credentials - create new security domain and set it up as security domain for your DS

          <security-domain name="host" cache-type="default">

              <authentication>

                  <login-module code="Kerberos" flag="required" module="org.jboss.security.negotiation">

                      <module-option name="storeKey" value="true"/>

                      <module-option name="useKeyTab" value="true"/>

                      <module-option name="keyTab" value="/path/to/DV_server.keytab"/>

                      <module-option name="principal" value="DATAVIRT/my.host.address@MY.REALM.COM"/>

                      <module-option name="doNotPrompt" value="true"/>

                      <module-option name="useTicketCache" value="true"/>

                      <module-option name="debug" value="true"/>

                      <module-option name="refreshKrb5Config" value="false"/>

                      <module-option name="addGSSCredential" value="true"/>

                      <module-option name="delegationCredential" value="USE"/>

                      <module-option name="isInitiator" value="true"/>

                  </login-module>

              </authentication>

          </security-domain>

           

          <datasource jndi-name="java:/hadoop" pool-name="hadoop" enabled="true">

              <connection-url>jdbc_url</connection-url>

              <driver>hadoop</driver>

              <security>

                  <security-domain>host</security-domain>

              </security>

          </datasource>

           

          2. Pass-through security.

          In this case you have to secure your VDB (or JDBC/ODBC transport) as well (see the documentation).

           

          <security-domain name="host" cache-type="default">

              <authentication>

                  <login-module code="Kerberos" flag="required" module="org.jboss.security.negotiation">

                      <module-option name="storeKey" value="true"/>

                      <module-option name="useKeyTab" value="true"/>

                      <module-option name="keyTab" value="/path/to/DV_server.keytab"/>

                      <module-option name="principal" value="DATAVIRT/my.host.address@MY.REALM.COM"/>

                      <module-option name="doNotPrompt" value="true"/>

                      <module-option name="useTicketCache" value="true"/>

                      <module-option name="debug" value="true"/>

                      <module-option name="refreshKrb5Config" value="false"/>

                      <module-option name="addGSSCredential" value="true"/>

                      <module-option name="delegationCredential" value="USE"/>

                      <module-option name="isInitiator" value="true"/>

                  </login-module>

              </authentication>

          </security-domain>

          <security-domain name="MY.REALM.COM" cache-type="default">

              <authentication>

                  <login-module code="SPNEGO" flag="required" module="org.jboss.security.negotiation">

                      <module-option name="password-stacking" value="useFirstPass"/>

                      <module-option name="useKeyTab" value="true"/>

                  </login-module>

                  <mapping>

                      <mapping-module code="SimpleRoles" type="roles">

                          <module-option name="user@MY.REALM.COM" value="user"/>

                      </mapping-module>

                  </mapping>

              </authentication>

          </security-domain>

          <security-domain name="pass-through" cache-type="default">

              <authentication>

                  <login-module code="org.teiid.jboss.PassthroughIdentityLoginModule" flag="required" module="org.jboss.teiid">

                      <module-option name="userName" value="guest"/>

                      <module-option name="password" value="guest"/>

                  </login-module>

              </authentication>

          </security-domain>

           

          <datasource jndi-name="java:/hadoop" pool-name="hadoop" enabled="true">

              <connection-url>jdbc_url</connection-url>

              <driver>hadoop</driver>

              <security>

                  <security-domain>pass-through</security-domain>

              </security>

          </datasource>

           

          Juraj