Kerberos Authentication in Data Connection

Introduction to Authentication Methods

Kerberos authentication is a common authentication method in the Hadoop ecosystem.

You can configure the Kerberos authentication in two methods.

• You can set Authentication Method to Kerberos on the data connection configuration page (mainly used for authentication connection using Hive and HBase drivers).

• You can configure JVM parameters and then configure authentication on the data connection configuration page (mainly used to solve connection errors that occur after you enter the correct information and succeed in authentication on the data connection configuration page, such as an error in connecting to Impala in Cloudera Distributed for Hadoop (CDH).

Supported Database

You need to switch database drivers to dedicated drivers and modify URL formats when using Kerberos authentication. The following databases support the Kerberos authentication.

Note: You cannot use the same keytab file to authenticate multiple connections simultaneously. For example, if both Data Connection A and Data Connection B require Kerberos authentication, only one of them can be successfully established at the same time.

Preparation Before Data Connection

Download configuration files krb5.conf, Keytab file name.keytab, and principal from the environment.

Keytab file name.keytab is the key table file. You need to get its path on the application server that provides the Kerberos service. 

This document takes the data connection to Hadoop Hive as an example.

Configuring the hosts File

Open the hosts file on the local server, for example, the hosts file in C:\Windows\System32\drivers\etc Add the remote mapping relationship in the format of IP address Machine name, as shown in the following figure.

Note: For projects deployed via FineOps, if you need to use Kerberos authentication, you must modify the hosts file of both the container and the host machine to include the domain names of the database and the Kerberos key distribution center.

Configuring the Data Connection

Find the corresponding driver based on Kerberos Driver Management modify the URL format accordingly, and set Authentication Method to Kerberos. If you do not find a corresponding driver in Collections of Kerberos Drivers, you can use the driver provided by the data source.

Upload the keytab file and the krb5.conf file, as shown in the following figure.

Click Test Connection. If the connection is successful, click Save to save the data connection, as shown in the following figure.