TDV Adapter for Apache Phoenix

Build 22.0.8462

Using Kerberos

This section shows how to use the adapter to authenticate using Kerberos.

Kerberos

To authenticate to Apache Phoenix using Kerberos, set the following properties:

  • AuthScheme: Set this to NEGOTIATE.
  • KerberosKDC: Set this to the host name or IP Address of your Kerberos KDC machine.
  • KerberosRealm: Set this to the realm of the Apache Phoenix Kerberos principal. This will be the value after the '@' symbol (for instance, EXAMPLE.COM) of the phoenix.queryserver.kerberos.principal of the hbase-site.xml file (for instance, HTTP/MyHost@EXAMPLE.COM).
  • KerberosSPN: Set this to the service and host of the Apache Phoenix Kerberos Principal. This is the value prior to the '@' symbol (for instance, HTTP/MyHost) of the phoenix.queryserver.kerberos.principal of the hbase-site.xml file (for instance, HTTP/MyHost@EXAMPLE.COM).

Retrieve the Kerberos Ticket

You can use one of the following options to retrieve the required Kerberos ticket.

MIT Kerberos Credential Cache File

This option enables you to use the MIT Kerberos Ticket Manager or kinit command to get tickets. Note that you do not need to set the User or Password connection properties with this option.

  1. Ensure that you have an environment variable created called KRB5CCNAME.
  2. Set the KRB5CCNAME environment variable to a path pointing to your credential cache file (for instance, C:\krb_cache\krb5cc_0 or /tmp/krb5cc_0). This file is created when generating your ticket with MIT Kerberos Ticket Manager.
  3. To obtain a ticket, open the MIT Kerberos Ticket Manager application, click Get Ticket, enter your principal name and password, then click OK. If successful, ticket information appears in Kerberos Ticket Manager and is stored in the credential cache file.
  4. Now that you have created the credential cache file, the adapter uses the cache file to obtain the Kerberos ticket to connect to Apache Phoenix.

As an alternative to setting the KRB5CCNAME environment variable, you can directly set the file path using the KerberosTicketCache property. When set, the adapter uses the specified cache file to obtain the Kerberos ticket to connect to Apache Phoenix.

Keytab File

If the KRB5CCNAME environment variable has not been set, you can retrieve a Kerberos ticket using a Keytab File. To do so, set the User property to the desired username and set the KerberosKeytabFile property to a file path pointing to the keytab file associated with the user.

User and Password

If both the KRB5CCNAME environment variable and the KerberosKeytabFile property have not been set, you can retrieve a ticket using a user and password combination. To do this, set the User and Password properties to the user/password combination that you use to authenticate with Apache Phoenix.

Cross-Realm

More complex Kerberos environments may require cross-realm authentication where multiple realms and KDC servers are used (e.g., where one realm/KDC is used for user authentication and another realm/KDC is used for obtaining the service ticket).

In such an environment, set the KerberosRealm and KerberosKDC properties to the values required for user authentication. Also set the KerberosServiceRealm and KerberosServiceKDC properties to the values required to obtain the service ticket.

Copyright (c) 2023 CData Software, Inc. - All rights reserved.
Build 22.0.8462