APAC SD Team
Category
Data Sources
Product Version
7.4
Kerberized HIVE2 Native Support
Not Planned
Can we implement a feature in Yellowfin to perform a kinit when connecting to a HIVE2 Kerberized cluster?
This refreshes the kerberos ticket, which needs to be done every 24 hours. In the meantime, we're doing so with a cron job.
I like this idea 
Hi Machiel,
Are you able to provide some more info on how this feature works? We're not HIVE experts so need to figure out how this works to work out if it's possible within YF.
Thanks,
David
Hi Machiel,
Are you able to provide some more info on how this feature works? We're not HIVE experts so need to figure out how this works to work out if it's possible within YF.
Thanks,
David
Hi David,
sure I can. We have this setup:
- Yellowfin: We created a data source wich connects to a HIVE database. So far nothing special.
- Hive: we run Hive on a Kerberized Hadoop cluster. This means some special security factors. Therefore the yellowfin application has to be authenticated via kerberos, meaning that the yellowfin user needs a Kerberos ticket to get accces to the Hadoop cluster.
At the moment we created a semi-automation. We run a daily cron-job to create a valid kerberos ticket for the yellowfin user.
This is not the most ideal way to do it. It is more efficient if a build in function in YF could do that. There is some documention to be found on kerberos.org and oracle. Hereby some links:
https://www.kerberos.org/software/appskerberos.pdf
https://docs.oracle.com/javase/8/docs/technotes/guides/security/jgss/single-signon.html
Please let me know if you need more information.
Thanks for picking this up. It is highly appreciated.
Regards,
machiel
Hi David,
sure I can. We have this setup:
- Yellowfin: We created a data source wich connects to a HIVE database. So far nothing special.
- Hive: we run Hive on a Kerberized Hadoop cluster. This means some special security factors. Therefore the yellowfin application has to be authenticated via kerberos, meaning that the yellowfin user needs a Kerberos ticket to get accces to the Hadoop cluster.
At the moment we created a semi-automation. We run a daily cron-job to create a valid kerberos ticket for the yellowfin user.
This is not the most ideal way to do it. It is more efficient if a build in function in YF could do that. There is some documention to be found on kerberos.org and oracle. Hereby some links:
https://www.kerberos.org/software/appskerberos.pdf
https://docs.oracle.com/javase/8/docs/technotes/guides/security/jgss/single-signon.html
Please let me know if you need more information.
Thanks for picking this up. It is highly appreciated.
Regards,
machiel
Hi Machiel,
I got an update from the head developer. Advised this will not be implemented from Yellowfin side but this could be implemented as a plugin with our Datasource Authentication Adapter Plugin. This gives access to the connection prior to connecting, and would allow someone to implement custom code to enable Kerberos when connecting to Hive.
Here's some example code that I found that could be implemented in an Adapter: https://community.hortonworks.com/questions/1807/connecting-to-kerberos-enabled-hive-via-jdbc-direc.html
Please let me know if you have any questions.
Regards,
Mahesh
Hi Machiel,
I got an update from the head developer. Advised this will not be implemented from Yellowfin side but this could be implemented as a plugin with our Datasource Authentication Adapter Plugin. This gives access to the connection prior to connecting, and would allow someone to implement custom code to enable Kerberos when connecting to Hive.
Here's some example code that I found that could be implemented in an Adapter: https://community.hortonworks.com/questions/1807/connecting-to-kerberos-enabled-hive-via-jdbc-direc.html
Please let me know if you have any questions.
Regards,
Mahesh
Replies have been locked on this page!