All Products
Search

This Product

    E-MapReduce:Use Kerberos authentication to access a Hive client

    Document Center

    E-MapReduce:Use Kerberos authentication to access a Hive client

    Last Updated:Feb 21, 2025

    Kerberos is an identity authentication protocol based on symmetric-key cryptography. Kerberos provides the identity authentication feature for other services. This topic describes how to access a Hive client if Kerberos authentication is enabled for Hive.

    Prerequisites

    An E-MapReduce (EMR) cluster is created. You must make sure that Kerberos Authentication in the Advanced Settings section of the Software Configuration step is turned on when you create the cluster. For more information about how to create an EMR cluster, see Create a cluster. Kerberos

    Procedure

    1. Log on to the EMR cluster in SSH mode. For more information, see Log on to a cluster.

    2. Open the admin.local CLI of Kerberos.

      • If you log on to the master-1-1 node on which the Key Distribution Center (KDC) server resides as the root user, run the following command to open the admin.local CLI. KDC is a Kerberos server. 

        kadmin.local

        If the output contains the following information, the admin.local CLI is opened: 

        Authenticating as principal hadoop/admin@EMR.C-85D4B8D74296****.COM with password.
kadmin.local:

      • If you log on to a node other than master-1-1 or use a gateway, run the following command to open the admin.local CLI. Replace the admin-user and admin-password parameters with the actual username and password. 

        kadmin -p <admin-user> -w <admin-password>
        Note

        If you use a self-managed KDC server in EMR, take note of the following items:

        • <admin-user>: Set the value to root/admin.

        • <admin-password>: Enter the value of the admin_pwd parameter. You can obtain the value on the Configure tab of the Kerberos service in the EMR console.

        If the output contains the following information, the admin.local CLI is opened: 

        Authenticating as principal root/admin with password.
kadmin:

    3. Create a principal named test.

      In this example, the password is 123456. 

      addprinc -pw 123456 test

      If the output contains the following information, the principal is created: 

      Principal "test@EMR.C-85D4B8D74296****.COM" created.
      Note

      You must record the username and password, which are required when you create a ticket-granting ticket (TGT).

      To exit the admin.local CLI, run the quit command.

    4. Log on to the node on which you want to run a Hive client. Run the following commands to create and switch to a user named test: 

      useradd test
su test

    5. Run the following commands to create a TGT: 

      kinit

      Press Enter and enter the password of the test user. In this example, the password is 123456.

    6. Access the Hive client.

      • Method 1: Run the hive command to access the Hive client.

        hive

      • Method 2: Use Beeline to access the Hive client.

        beeline -u "jdbc:hive2://master-1-1.c-56187feb57f0****.cn-hangzhou.emr.aliyuncs.com:10000/;principal=hive/_HOST@EMR.c-56187feb57f0****.COM"

        Replace the following information based on your business requirements:

        • master-1-1.c-56187feb57f0****.cn-hangzhou.emr.aliyuncs.com: The fully qualified hostname, including the domain name. You can obtain the hostname by running the hostname -f command on the node where the HiveServer2 service is deployed. This service is deployed on the master-1-1 node in most cases.

        • EMR.c-56187feb57f0****.COM: The realm name. You can search for the realm parameter on the Configure tab of the Kerberos service page in the EMR console. The value of this parameter is the realm name.

          image

    References

    • For more information about how to create a principal, see Database administration.

    • For more information about how to create a TGT, see kinit.