Skip to main content

Kerberos implementation SAS for Hive Connection

Kerberos steps:
Get the keytab file for the user which you are using to connect to Hadoop. For example: if hive is the user name then AD team will provide keytab file for it.

1.    Installation of required packages

    • krb5-workstation
    • krb5-auth-dialog
Keytab file will be used to generate ticket:

kinit -k -t hive.keytab hive@ZONE.BLOG.NET

Use the proper krb5.conf , by default will be /etc but get it from right team

Possible Errors:

kinit: Included profile directory could not be read while initializing Kerberos 5 library – This means the krb5.conf file we are using wrong.

1.    Add Kerberos changes to sasenv_local

File Location -> /opt/SASHome/SASFoundation/9.4/bin

workspace_user=$(whoami)

export KRB5_CONFIG=/etc/krb5.conf

export KRB5_KTNAME=/home/$workspace_user/kerb_files/hive.keytab

/usr/bin/kinit -k -t /home/$workspace_user/kerb_files/hive.keytab hive@ZONE.BLOG.NET


workspace_user=$(whoami)

workspace_user_ccaches=$(find /tmp -maxdepth 1 -user ${workspace_user} -type f -name "krb5cc_*" -printf '%T@ %p\n' | sort -k 1nr | sed 's/^[^ ]* //' | head -n 1)

if test ! -z "$workspace_user_ccaches"; then

echo "Most recent krb5 ccache found for '${workspace_user}' at '${workspace_user_ccaches}'."

echo "Cache last modified: $(stat -c%y ${workspace_user_ccaches})"

export KRB5CCNAME=$workspace_user_ccaches

echo "KRB5CCNAME has been set to ${KRB5CCNAME}."

else

echo "No krb5 credentials caches were found in /tmp for '${workspace_user}'."

fi



Importing JKS, this JKS is generated in Hadoop server by SAS Team
    In Hadoop Server:
     echo -n | openssl s_client -connect kerberoshost.hadoophost.com:10000 | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' >       hive_kerberoshost.hadoophost.com.pem

 keytool -import -alias kerberoshost.hadoophost.com -file hive_kerberoshost.hadoophost.com.pem -keystore          hivetrust.jks

In SAS Server:
cd /opt/SASHome/SASPrivateJavaRuntimeEnvironment/9.4/jre/bin
./keytool -importkeystore -srckeystore /tmp/hivetrust.jks -destkeystore ../lib/security/jssecacerts


Possible Error:

keytool error: java.io.FileNotFoundException: /home/sasdemo/kerb_files/hivetrust_gen_new.jks (Permission denied) : It means you are giving wrong password. If you keep get this message, then regenerate new jks file with simple text only password. I got error while using alphanumeric password.

Libname and Issues:

%let SAS_HADOOP_CONFIG_PATH=/tmp/sitexmls;
%let SAS_HADOOP_JAR_PATH=/tmp/jars;
options set=SAS_HADOOP_CONFIG_PATH="&SAS_HADOOP_CONFIG_PATH.";
options set=SAS_HADOOP_JAR_PATH="&SAS_HADOOP_JAR_PATH.";


Comments

Post a Comment

Popular posts from this blog

Insufficient authorization to access PIPE error in SAS EG

Issue: When I tried to run SAS code in SAS Enterprise Guide it throws following errors: ERROR: Insufficient authorization to access PIPE. ERROR: Error in the FILENAME statement. Screenshot of error: Solution: This error occurs when you try to run OS commands in SAS code. To run the OS commands in SAS code you need to enable XCMD option. You check it in SAS Management Console by following below steps.   Open SMC -> Expand Servers -> Expand   In SASApp , expand Logical Workspace Server -> right click on Workspace Server. Click properties -> option tab -> advanced options -> launch properties. Check whether Allow XCMD is checked. The issue arises if the Allow XCMD is not checked. In above image, Allow XCMD option is not checked. It should be checked to run OS commands from SAS code. In Unix /Linux machines, this XCMD option can be enabled by using system option XCMD in sasv9 config file or workspaceserver.sh script f...
2 comments
Read more

The authentication server is not SETUID ROOT error in SAS

Question: When validating the SAS Server from SAS Management Console, I received the following error: The authentication server is not SETUID ROOT.  So, I ran the setuid.sh utility and restarted the services many times. I just checked the elssrv sasauth sasperm setuid bit. There were no error in sasauth-debug.log, sasauth-access.log, sasauth-error.log.  Any suggestions? Answer: Please do the following:    1) Run /<SASConfig>/Lev<X>/ObjectSpawner/ObjectSpawner.sh stop  2) Edit /<SASConfig>/Lev<X>/ObjectSpawner/ObjectSpawner.sh and add the code shown below right after SCRIPT=`basename $0`:  if [ -n ""$TKPATH"" ]; then  unset TKPATH  fi   if [ -n ""$TK_PATHLIST"" ]; then  unset TK_PATHLIST  fi    3) Run /<SASConfig>/Lev<X>/ObjectSpawner/ObjectSpawner.sh start  The above code change in ObjectSpawner.sh should fix the issue.
1 comment
Read more

SAS - CLI error trying to establish connection

Issue: User asked me to make a database connectivity to SQL Server. They provided following details SQL server hostname and ip address Database/DSN name Username Password I made entry in ODBC.ini file. You know, SQL Server entries were made in ODBC.ini and Oracle entries were made in TNS.ora file. Everything went fine, took back up of odbc.ini, made entry and saved the file. So to test this connection I ran the libname statement in SAS Enterprise Guide 6.1. It throwed following error. Error Message: My DB team showed that they are able to login   14 GOPTIONS ACCESSIBLE; 15 LIBNAME test ODBC DATASRC=SGE_DS SCHEMA=VST USER=sales PASSWORD=XXXXXXXXX; ERROR: CLI error trying to establish connection: [SAS/ACCESS to SQL Server][ODBC SQL Server Legacy Driver][SQL Server]Login failed for user 'sales'. Solution: First I suspected that Login failed for user 'sales' meant the password provided by DB team was wrong. They responded that they were able to login wi...
3 comments
Read more