在开启Kerberos认证之后,用户需要进入登入Hive CLI或beeline需要用到keytab。为此,我们现在Kerberos数据库中创建user1和user2两个principal。
生成user1和user2的keytab
kadmin.local: xst -norandkey -k user1.keytab user1
Entry for principal user1 with kvno 1, encryption type aes128-cts-hmac-sha1-96 added to keytab WRFILE:user1.keytab.
Entry for principal user1 with kvno 1, encryption type des3-cbc-sha1 added to keytab WRFILE:user1.keytab.
Entry for principal user1 with kvno 1, encryption type arcfour-hmac added to keytab WRFILE:user1.keytab.
Entry for principal user1 with kvno 1, encryption type camellia256-cts-cmac added to keytab WRFILE:user1.keytab.
Entry for principal user1 with kvno 1, encryption type camellia128-cts-cmac added to keytab WRFILE:user1.keytab.
Entry for principal user1 with kvno 1, encryption type des-hmac-sha1 added to keytab WRFILE:user1.keytab.
Entry for principal user1 with kvno 1, encryption type des-cbc-md5 added to keytab WRFILE:user1.keytab.
kadmin.local: xst -norandkey -k user2.keytab user2
Entry for principal user2 with kvno 1, encryption type aes128-cts-hmac-sha1-96 added to keytab WRFILE:user2.keytab.
Entry for principal user2 with kvno 1, encryption type des3-cbc-sha1 added to keytab WRFILE:user2.keytab.
Entry for principal user2 with kvno 1, encryption type arcfour-hmac added to keytab WRFILE:user2.keytab.
Entry for principal user2 with kvno 1, encryption type camellia256-cts-cmac added to keytab WRFILE:user2.keytab.
Entry for principal user2 with kvno 1, encryption type camellia128-cts-cmac added to keytab WRFILE:user2.keytab.
Entry for principal user2 with kvno 1, encryption type des-hmac-sha1 added to keytab WRFILE:user2.keytab.
Entry for principal user2 with kvno 1, encryption type des-cbc-md5 added to keytab WRFILE:user2.keytab.
由于已经在Hive CLI中创建了db1和db2两个数据库,其中在db1创建了table1,在db2中创建了table1和table2,并把db1的角色赋给了user1,db2的角色赋给了user2。这样user1通过beeline只能看到db1和db1中的table1,同样user2只能看到db2和db2中的table1和table2。
beeline通过下面语句连接
beeline -u "jdbc:hive2://hxmaster:10000/;principal=hive/hxmaster@ANDREW.COM"
由于是从本地连接集群,所以需要将生成的user1.keytab和user2.keytab以及/etc/krb5.conf拷贝到本地随便一个目录,这里选择”D:/keytab”这个目录
这样,我们就可以在本地IntelliJ环境下编写java程序连接hive了,由于需要用到hive-jdbc和hadoop-client两个jar包提供运行环境,我们把它们加入到build.sbt文件中。
libraryDependencies += "org.apache.hive" % "hive-jdbc" % "1.1.0"
libraryDependencies += "org.apache.hadoop" % "hadoop-client" % "2.6.5"
一切就绪,我们就可以通过以下代码查询user1在hive中的表
import org.apache.hadoop.conf.Configuration;
import org.apache.hadoop.security.UserGroupInformation;
import java.sql.Connection;
import java.sql.DriverManager;
import java.sql.PreparedStatement;
import java.sql.ResultSet;
public class KBSimple {
private static String JDBC_DRIVER = "org.apache.hive.jdbc.HiveDriver";
private static String CONNECTION_URL ="jdbc:hive2://hxmaster:10000/;principal=hive/[email protected]";
static {
try {
Class.forName(JDBC_DRIVER);
} catch (ClassNotFoundException e) {
e.printStackTrace();
}
}
public static void main(String[] args) throws Exception {
Class.forName(JDBC_DRIVER);
//登录Kerberos账号
System.setProperty("java.security.krb5.conf", "D:\\keytab\\krb5.conf");
Configuration configuration = new Configuration();
configuration.set("hadoop.security.authentication" , "Kerberos" );
UserGroupInformation. setConfiguration(configuration);
UserGroupInformation.loginUserFromKeytab("[email protected]",
"D:\\keytab\\user1.keytab");
Connection connection = null;
ResultSet rs = null;
PreparedStatement ps = null;
try {
connection = DriverManager.getConnection(CONNECTION_URL);
ps = connection.prepareStatement("select * from db1.table1");
rs = ps.executeQuery();
while (rs.next()) {
System.out.println(rs.getString(1));
}
} catch (Exception e) {
e.printStackTrace();
}
}
}
执行结果如下:
同理,查询一下user2中的table2,代码稍作修改
执行结果如下: