Overview
Version
Version | Functional Change |
11.0 | / |
11.0.7 | Optimized Kerberos authentication method, allowing you to directly upload relevant files on the front end. |
11.0.10 | Added solutions for the error 31300010. |
Introduction to Authentication Methods
1. Kerberos authentication is a common authentication method in the Hadoop ecosystem.
2. There are two methods to configure the Kerberos authentication.
Directly use the Kerberos authentication on the data connection configuration page (mainly used for authentication connections of drivers such as Hive and HBase).
Configure JVM parameters before going to the data connection configuration page for authentication (mainly used for error reoccurrences, such as an error in databases like Impala of CDH, after the correct information on the data connection page and the successful authentication).
Supported Database
To configure the Kerberos authentication, databases needs to switch to dedicated drivers and modify URL formats. For details, see Collections of Kerberos Drivers. The following databases support the Kerberos authentication:
Apache Impala
Hadoop Hive
Spark
Transwarp Inceptor
Apache Phoenix
HBase
Preparations
Download configuration files krb5.conf, name.keytab, and principal from the environment.
The name.keytab is the key table file. You need to find the corresponding location of the file on the application server that provides Kerberos services.
Procedures
Take Hive as an example.
Configuring the hosts File
To configure the local hosts file, add the remote port mapping in IP address Machine name format to the hosts file under the its path (like C:\Windows\System32\drivers\etc).
Setting Data Connection
1. Find the corresponding driver based on Collections of Kerberos Drivers, modify the URL to the corresponding format, and set Authentication Method to Kerberos.
2. Upload the keytab file and the krb5.conf file.
3. Click Test Connection. Successful connection is shown in the following figure.
Notes
Checking Server and Authentication Information
What to Check | Requirement |
Check the time difference between the machine where the FineReport server is located and the database server. | The time difference usually needs to be less than 5 minutes. |
Check and configure the hosts file of the machine where the FineReport server is located. | Verify that the database server can be pinged through the hostname/domain name. |
Check whether the version of the built-in zookeeper package of FineReport matches with the zookeeper version in the database server. | For example, version incompatibility errors may occur when the FineReport server is connected to the Huawei HD platform. |
Check whether the name of the principal file is correct. | The format of the principal file is usually Username/Department name@Company name. To check whether the format is correct, you can execute klist or kinit -k -t /path/to/keytab name_of_principal in the database server Shell. You can also directly connect to the authenticated service through tools such as Beeline and Impala Shell, and view the corresponding principal file information. For example, the principal file corresponding to the Hive service is hive/bigdata@Company name.COM, while the one corresponding to the Impala service is impala/bigdata@Company name.COM. |
Check the FineReport project path. | Ensure that no spaces (like Tomcat 9) are included in the path. (Kerberos authentication does not support paths with spaces.) |
Solutions to Failed Connections
1. If the connection fails, you can check whether the security authentication configuration of the relevant service is correct through the platform database admin, and provide FanRuan's technical supports with relevant error logs, the data platform database version, the corresponding driver JAR package, the relevant connection information, and the Java authentication connection test codes/Shell tools that can connect to the authentication database.
JVM secure debugging log parameters are as follows:
2. If you cannot connect on Windows system in some special cases, you can deploy the FineReport test server on Linux system. Ensure that the test server can connect to the database through relevant Shell tools and cached KGT information can be viewed through klist.
Errors
CDH connection error: Unable to obtain Principal Name for authentication
Cause: The JCE installed by default in JDK cannot handle symmetric keys larger than 128 bits.
Solution: Update the JCE extension package of JRE.
Procedure: Download and unzip the JCE extension JAR package and replace the former file in the specified directory of JRE. For details about JCE installation, see the website https://sourceforge.net/p/skcc/wiki/Install.
Transwarp Inceptor database error: GSS initiate failed
Cause: The driver itself performs static global operations. After the Kerberos center is refreshed, the static global in the internal driver still remains, which makes the data connection fail.
Solution: Restart the FineReport server.
Error: 31300010 KDC server is not connected
Cause: The connection times out.
Solution: Extend the timeout period.
