Connecting to MapR via JDBC

I recently needed to do some connection testing via JDBC to Hiveserver 2 in MapR 4.0.2 in a secure and kerberized cluster. Since this was new to me I thought it would be worthwhile to write-up my notes as I will sure forget half of this in less than a few weeks. Just in case you are needing to connect via JDBC to a Kerberized cluster here are some tips.

MapR has its own login system called maprlogin for use in a secure cluster setup that requires authentication via password or Kerberos to use the cluster.

Once completed users can act on the cluster via the command line normally via the hadoop commands (or through the Linux command line in NFS mounted MapR-FS).

For JDBC connections users must use the principal configured by the Kerberos and Hadoop Admins for the hive service (not their user principal – that is used in the previous step). See the setting “hive.server2.authentication.kerberos.principal” along with the matching keytab specified in “hive.server2.authentication.kerberos.keytab” which in MapR is typically under /opt/mapr/conf/mapr.keytab.

As a quick refresher here is what we are dealing with in terms of a Kerberos principal for a JDBC connection string:

jdbc:hive2://HS2.FQDN:10000/default;principal=hive/fully.qual.dn.com@TEST.DOMAIN.COM

HS2.FQDN – Hive server 2 fully qualified Domain name and port – Default is 10000

primary – username – user must exist on Hiveserver2 node. You will normally see a user principal that matches the service name – i.e., hive, yarn etc.

Instance – use a FQDN that is resolvable both forward and reverse. This is a property of Apache Hive not specific to the MapR distribution (Hive version 0.13 was used in this testing against MapR 4.0.2). Hive attempts to resolve the hostname (in green above) when connecting via Kerberos.

Realm – correct Kerberos Realm name – see your local /etc/krb5.conf or consult your Kerberos Administrator.

And here are some examples of how to connect. Beeline is a Hive service you can use that is built into Hive. There are many tools that use a similar methods of connection that can be used.

You may need to either call the beeline client with a fake user name and password or hit enter twice interactively. This is a known bug.

Java Client