Kerberized HIVE2 Native Support

Machiel van Tilborg shared this idea 12 months ago
Not Planned

Can we implement a feature in Yellowfin to perform a kinit when connecting to a HIVE2 Kerberized cluster?

This refreshes the kerberos ticket, which needs to be done every 24 hours. In the meantime, we're doing so with a cron job.

Comments (3)

photo
1

Hi Machiel,


Are you able to provide some more info on how this feature works? We're not HIVE experts so need to figure out how this works to work out if it's possible within YF.


Thanks,

David

photo
1

Hi David,

sure I can. We have this setup:

- Yellowfin: We created a data source wich connects to a HIVE database. So far nothing special.

- Hive: we run Hive on a Kerberized Hadoop cluster. This means some special security factors. Therefore the yellowfin application has to be authenticated via kerberos, meaning that the yellowfin user needs a Kerberos ticket to get accces to the Hadoop cluster.

At the moment we created a semi-automation. We run a daily cron-job to create a valid kerberos ticket for the yellowfin user.

This is not the most ideal way to do it. It is more efficient if a build in function in YF could do that. There is some documention to be found on kerberos.org and oracle. Hereby some links:

https://www.kerberos.org/software/appskerberos.pdf


https://docs.oracle.com/javase/8/docs/technotes/guides/security/jgss/single-signon.html


Please let me know if you need more information.

Thanks for picking this up. It is highly appreciated.

Regards,

machiel

photo
1

Hi Machiel,

I got an update from the head developer. Advised this will not be implemented from Yellowfin side but this could be implemented as a plugin with our Datasource Authentication Adapter Plugin. This gives access to the connection prior to connecting, and would allow someone to implement custom code to enable Kerberos when connecting to Hive.

Here's some example code that I found that could be implemented in an Adapter: https://community.hortonworks.com/questions/1807/connecting-to-kerberos-enabled-hive-via-jdbc-direc.html

Please let me know if you have any questions.

Regards,

Mahesh