I am trying to connect to Impala using keytab file but I didn't find exact URL to connect with keytab. I have gone through Cloudera documentation, but it does not mention using keytab file with principal to connect to Impala. What will be the JDBC URL to connect to Impala using keytab file?
As described in the User Guide, section "Using Kerberos", Impala JDBC driver supports three methods of getting Kerberos Subject:
...The driver tries to obtain the Subject from the current thread's inherited AccessControlContext. If the AccessControlContext contains
multiple Subjects, the driver uses the most recent Subject.
The driver checks the java.security.auth.login.config system property for a JAAS configuration. If a JAAS configuration is
specified, the driver uses that information to create a LoginContext
and then uses the Subject associated with it.
The driver checks the KRB5_CONFIG and KRB5CCNAME system environment variables for a Kerberos ticket cache. The driver uses the information
from the cache to create a LoginContext and then uses the Subject
associated with it.
You can control which method driver will be using via KrbAuthType parameter in connection URL, otherwise it will try each method one by one.
So, all you should do to use keytab file (method# 2) is
create a jaas.conf file specifying keytab location, principal, etc.
set system property java.security.auth.login.config in your program (or use
JVM startup argument -Djava.security.auth.login.config=</some-path-to/jaas.conf>) pointing to the location of that jaas.conf, and
in your JDBC connection URL, set ...AuthMech=1;KrbRealm=<YOUR-REALM.COM>;KrbHostFQDN=your.impalad.host.com;KrbServiceName=<impala-service-principal> for Kerberos authentication
...before trying to connect.
Alternatively, kinit using your keytab so that ticket cache contains necessary TGT before calling your Java application (essentially, use method 3 above).
Related
I am trying to open a JDBC connection to a Google Cloud Spanner database, but I get the following error message:
java.lang.IllegalArgumentException: A project ID is required for this
service but could not be determined from the builder or the
environment. Please set a project ID using the builder.
My JDBC URL is as follows:
jdbc:cloudspanner://localhost;Project=project-id;Instance=instance-id;Database=database-name;PvtKeyPath=path-to-key-file
If I remove the Project property from the URL, I get the following exception:
java.sql.SQLNonTransientConnectionException: [Simba]JDBC
Connection Refused: [Simba]JDBC Required Connection Key(s):
Project; [Simba]JDBC Optional Connection Key(s): Language,
Mode
So it seems that the driver does pick up my Project ID, but somehow does not accept it. I have checked and double checked that my project id does equal the project id that I created on Google, I have also tried to change the value to the project name instead of the project id, but to no avail.
Does anyone have a URL example that works?
EDIT: It appears to be related to the reference to the private key file. If I make an environment variable GOOGLE_APPLICATION_CREDENTIALS pointing to my private key file, the connection can successfully be made. If I remove this environment variable, I get the above exception.
Which version of the driver are you using? In the latest version, if you are specifying the path to the credentials file in the URL then you need not set GOOGLE_APPLICATION_CREDENTIALS.
As the JDBC Driver supplied by Google is severely limited (does not support DML and DDL statemetns), I have written my own JDBC Driver. The driver is designed to work with JPA/Hibernate-enabled applications. The driver can be found here: https://github.com/olavloite/spanner-jdbc
This driver supports the same kind of URL's as the driver supplied by Google, including the PvtKeyPath property.
I want to be able to connect to a SQL Server using jdbc and windows authentication.
I saw some answers on the internet saying i should add the following property to the connection string:
integratedSecurity=true;
And also add
sqljdbc_auth.dll
To the java path.
But this, as far as i understand applies only when i'm connecting from a Windows machine.
When i try this on a Linux machine i get:
java.sql.SQLException: This driver is not configured for integrated authentication
My question is how do I do it from a Linux machine.
Thanks
Well, eventually I answer my own question:
This is not possible to use Windows authentication from a linux machine using the Microsoft JDBC driver.
This is possible using the jTDS JDBC driver using the following connection string:
jdbc:jtds:sqlserver://host:port;databaseName=dbname;domain=domainName;useNTLMv2=true;
Thank you all for all the comments
TL;DR
It is not possible to use native Windows Authentication for JDBC connections to MSSQL from a JVM running on Linux.
This MSDN article explains the authentiation methods with JDBC on Linux, potential errors, and available options:
https://blogs.msdn.microsoft.com/psssql/2015/01/09/jdbc-this-driver-is-not-configured-for-integrated-authentication/
...in the JDBC 4.0 driver, you can use the authenticationScheme
connection property to indicate how you want to use Kerberos to
connect to SQL. There are two settings here.
NativeAuthentication (default) – This uses the sqljdbc_auth.dll and is specific to the Windows platform. This was the only option
prior to the JDBC 4.0 driver.
JavaKerberos – Makes use of the Java API’s to invoke kerberos and does not rely on the Windows Platform. This is java specific and not
bound to the underlying operating system, so this can be used on both
Windows and Linux platforms.
...
The following document outlines how to use Kerberos with the JDBC
Driver and walks through what is needed to get JavaKerberos working
properly.
Using Kerberos Integrated Authentication to Connect to SQL Server
http://msdn.microsoft.com/en-us/library/gg558122%28v=sql.110%29.aspx
For those who are using DBeaver the way to connect to the SQL Server Database is:
In order to connect to the SQL Server from Linux Debian using DBeaver
1.- Select SQL Server jTDS driver
2.- Enter the connection information
3.- Go to Driver Properties tab and add the domain, user, password
Just as a note, in some post I found that they needed to change the property USENTLMV2 to TRUE but it worked for me either by putting the USERTLNMV2 in true or false.
A problem that I found was that when I was trying to connect to the database using my user and password the next error was thrown:
Login failed. The login is from an untrusted domain and cannot be used with Windows authentication.
This error was thrown because of my user was about to expire. I tried with another AD user and it could connect.
I know this is kind of an older topic but in case Google sends people here:
There are two main JDBC drivers for SQL Server. One is from Microsoft and the other from jTDS. jTDS can, amazingly, connect using Windows auth (NTLM) from other platforms, including Linux, as described here: http://jtds.sourceforge.net/faq.html#windowsAuth. It can, of course, also use SQL-authenticated logins. SQL-authenticated logins are no harder to use from any OS than any other, so don't forget about those an option.
The version provided by Microsoft is the one from which #mjn provided a quote from the documentation. It is able to connect using Windows authentication by specifying integratedSecurity=true, authenticationScheme=javaKerberos, and authentication=NotSpecified.
It is tricky to get this working even if you don't go out of your way to find more confusion, so always keep in mind which driver you are using - and tell us in these posts so that you can get more specific help.
This JDBC URL is validated to work with latest Microsoft SQL Server JDBC driver:
jdbc:sqlserver://[server]:[port];database=[db\;trustServerCertificate=true;integratedSecurity=true;user=[user without domain];password=[pw];authenticationScheme=NTLM;domain=[domain];authentication=NotSpecified
Example:
jdbc:sqlserver://mysql.myorg.com:1433;database=mydb;trustServerCertificate=true;integratedSecurity=true;user=myuser;password=mypwd;authenticationScheme=NTLM;domain=ad.myorg.com;authentication=NotSpecified
I was able to connect to a SQL Server 2016 Data Mart and JDBC connection Microsoft JDBC Driver using Windows Authentication using the following script on a Ubuntu Linux Docker Image running on Windows 10.
# initializes spark session
from pyspark.sql import SparkSession
spark = SparkSession\
.builder\
.master('local[*]')\
.appName('FDM')\
.config("spark.driver.extraClassPath","pyspark_jars/*")\
.config('spark.executor.memory', '4g')\
.config('spark.driver.memory', '16g')\
.config('spark.executor.cores', '4')\
.getOrCreate()
jdbc_url = '''jdbc:sqlserver://SERVER;databaseName=DBNAME;trustServerCertificate=true;integratedSecurity=true;user=USERID;password=PASSWORD;authenticationScheme=NTLM;domain=US;authentication=NotSpecified'''
spark_df = spark.read\
.format("jdbc")\
.option("url", jdbc_url)\
.option("driver","com.microsoft.sqlserver.jdbc.SQLServerDriver")\
.option("query", 'select top(1000) * from SCHEMA.TABLE')\
.option("fetchsize", 100000)\
.load()
spark_df.write.csv('TEST.csv', mode = "overwrite", header=True)
Using a jdbc connection to hive I can't seem to get hive to actually find the keytab I want to connect with. I've written a custom krb5 login module and to point to the keytab and added it in the java options (-Djava.security.auth.login.config). Any thoughts on why it might not be taking?
Before try to establish the connection program, mush ensure that the keytab authentication renewed or not.
Check klist command in linux and check the expired date and time. If the auth. already expired, use kinit command to renew it before establish connection through jdbc.
I am using the jTDS driver in order to connect to an SQL Server database from my Android application, which uses the Windows Authentication. As advised in the FAQs, I read the READMESSO file and as told, I placed the native SPPI library (ntlmauth.dll) in the system path (defined by the PATH system variable)
However, when I try to connect to the database using the following code:
String driver = "net.sourceforge.jtds.jdbc.Driver";
Class.forName(driver).newInstance();
String connString = "jdbc:jtds:sqlserver://192.168.56.1/MyMovies;";
Conncection conn = DriverManager.getConnection(connString);
I get the following exception:
java.sql.SQLException: Single-Sign-On is only supported on Windows. Please specify a user name.
Since you are connecting from an android device, you would not be able to get the SSO credentials required by the driver to connect to SQL server. The setting you referred to works only if the java program trying to connect to the DB is on a windows machine, which is clearly mentioned by the error message.
Unless your application has authorization based on the SSO user connecting to the DB, you should have an SQL Server user-based authentication mechanism to connect to the server and all authorization procedures should be tied to this user.
You might have to give the username also.
"jdbc:jtds:sqlserver://192.168.56.1/MyMovies;instance=SQLEXPRESS;user=foo"
I am currently investigating how to make a connection to a SQL Server database from my Java EE web application using Windows Authentication instead of SQL Server authentication. I am running this app off of Tomcat 6.0, and am utilizing the Microsoft JDBC driver. My connection properties file looks as follows:
dbDriver = com.microsoft.sqlserver.jdbc.SQLServerDriver
dbUser = user
dbPass = password
dbServer = localhost:1433;databaseName=testDb
dbUrl = jdbc:sqlserver://localhost:1433
I have zero problems with connecting to a SQL Server database in this fashion when using SQL Server authentication.
Is there any way I can retrieve the credentials of the user's Windows Authentication and use that authentication for SQL Server?
UPDATE: I know in ASP.net there is a way to set up Windows Authentication for access to the webapp, which is exactly what I am looking for, except I want to pass that token off to SQL Server for access to the database.
I do not think one can push the user credentials from the browser to the database (and does it makes sense ? I think not)
But if you want to use the credentials of the user running Tomcat to connect to SQL Server then you can use Microsoft's JDBC Driver.
Just build your JDBC URL like this:
jdbc:sqlserver://localhost;integratedSecurity=true;
And copy the appropriate DLL to Tomcat's bin directory (sqljdbc_auth.dll provided with the driver)
MSDN > Connecting to SQL Server with the JDBC Driver > Building the Connection URL
look at
http://jtds.sourceforge.net/faq.html#driverImplementation
What is the URL format used by jTDS?
The URL format for jTDS is:
jdbc:jtds:<server_type>://<server>[:<port>][/<database>][;<property>=<value>[;...]]
...
domain
Specifies the Windows domain to authenticate in. If present and the user name and password are provided, jTDS uses Windows (NTLM) authentication instead of the usual SQL Server authentication (i.e. the user and password provided are the domain user and password). This allows non-Windows clients to log in to servers which are only configured to accept Windows authentication.
If the domain parameter is present but no user name and password are provided, jTDS uses its native Single-Sign-On library and logs in with the logged Windows user's credentials (for this to work one would obviously need to be on Windows, logged into a domain, and also have the SSO library installed -- consult README.SSO in the distribution on how to do this).
This actually works for me:
Per the README.SSO that comes with the jtdsd distribution:
In order for Single Sign On to work, jTDS must be able to load the native SPPI library ntlmauth.dll. Place this DLL anywhere in the system path (defined by the PATH system variable) and you're all set.
I placed it in my jre/bin folder
I configured a port dedicated the sql server instance (2302) to alleviate the need for an instance name - just something I do. lportal is my database name.
jdbc.default.url=jdbc:jtds:sqlserver://192.168.0.147:2302/lportal;useNTLMv2=true;domain=mydomain.local
Unless you have some really compelling reason not to, I suggest ditching the MS JDBC driver.
Instead, use the jtds jdbc driver. Read the README.SSO file in the jtds distribution on how to configure for single-sign-on (native authentication) and where to put the native DLL to ensure it can be loaded by the JVM.
I was having issue with connecting to MS SQL 2005 using Windows Authentication. I was able to solve the issue with help from this and other forums. Here is what I did:
Install the JTDS driver
Do not use the "domain= " property in the jdbc:jtds:://[:][/][;=[;...]] string
Install the ntlmauth.dll in c:\windows\system32 directory (registration of the dll was not required) on the web server machine.
Change the logon identity for the Apache Tomcat service to a domain User with access to the SQL database server (it was not necessary for the user to have access to the dbo.master).
My environment:
Windows XP clinet hosting Apache Tomcat 6 with MS SQL 2005 backend on Windows 2003