Kerberos implementation SAS for Hive Connection

Kerberos steps:

Get the keytab file for the user which you are using to connect to Hadoop. For example: if hive is the user name then AD team will provide keytab file for it.

1. Installation of required packages

krb5-workstation
krb5-auth-dialog

Keytab file will be used to generate ticket:

kinit -k -t hive.keytab hive@ZONE.BLOG.NET

Use the proper krb5.conf , by default will be /etc but get it from right team

Possible Errors:

kinit: Included profile directory could not be read while initializing Kerberos 5 library – This means the krb5.conf file we are using wrong.

1. Add Kerberos changes to sasenv_local

File Location -> /opt/SASHome/SASFoundation/9.4/bin

workspace_user=$(whoami)

export KRB5_CONFIG=/etc/krb5.conf

export KRB5_KTNAME=/home/$workspace_user/kerb_files/hive.keytab

/usr/bin/kinit -k -t /home/$workspace_user/kerb_files/hive.keytab hive@ZONE.BLOG.NET

workspace_user=$(whoami)

workspace_user_ccaches=$(find /tmp -maxdepth 1 -user ${workspace_user} -type f -name "krb5cc_*" -printf '%T@ %p\n' | sort -k 1nr | sed 's/^[^ ]* //' | head -n 1)

if test ! -z "$workspace_user_ccaches"; then

echo "Most recent krb5 ccache found for '${workspace_user}' at '${workspace_user_ccaches}'."

echo "Cache last modified: $(stat -c%y ${workspace_user_ccaches})"

export KRB5CCNAME=$workspace_user_ccaches

echo "KRB5CCNAME has been set to ${KRB5CCNAME}."

else

echo "No krb5 credentials caches were found in /tmp for '${workspace_user}'."

Importing JKS, this JKS is generated in Hadoop server by SAS Team

In Hadoop Server:

echo -n | openssl s_client -connect kerberoshost.hadoophost.com:10000 | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > hive_kerberoshost.hadoophost.com.pem

keytool -import -alias kerberoshost.hadoophost.com -file hive_kerberoshost.hadoophost.com.pem -keystore hivetrust.jks

In SAS Server:

cd /opt/SASHome/SASPrivateJavaRuntimeEnvironment/9.4/jre/bin

./keytool -importkeystore -srckeystore /tmp/hivetrust.jks -destkeystore ../lib/security/jssecacerts

Possible Error:

keytool error: java.io.FileNotFoundException: /home/sasdemo/kerb_files/hivetrust_gen_new.jks (Permission denied) : It means you are giving wrong password. If you keep get this message, then regenerate new jks file with simple text only password. I got error while using alphanumeric password.

Libname and Issues:

%let SAS_HADOOP_CONFIG_PATH=/tmp/sitexmls;

%let SAS_HADOOP_JAR_PATH=/tmp/jars;

options set=SAS_HADOOP_CONFIG_PATH="&SAS_HADOOP_CONFIG_PATH.";

options set=SAS_HADOOP_JAR_PATH="&SAS_HADOOP_JAR_PATH.";

Comments

How to create library for Oracle in SAS?

In this article, you will get details about creating a new library using SAS Management Console. Here, I have provided the procedure for creating library for Oracle database. However, the steps will be same for other databases like SQL server, Teradata etc. Creating connection to Oracle database: To create library, you must first create a connection to Oracle database in your host machine. Host machine is the physical location where your SAS platform is installed. Details like Oracle database hostname/IP address and DSN/SID name is needed. Those details should be entered in tsnnames.ora file. For more details check this article Creating library in SAS Management Console: The steps for creating library for Oracle using SAS Management Console (SMC) can used for other database like SQL Server, My SQL etc. New library wizard: Expand Data Library Manager plug-in, right click on the Libraries and click New Library to start library wizard. You will be asked

SAS - CLI error trying to establish connection

Issue: User asked me to make a database connectivity to SQL Server. They provided following details SQL server hostname and ip address Database/DSN name Username Password I made entry in ODBC.ini file. You know, SQL Server entries were made in ODBC.ini and Oracle entries were made in TNS.ora file. Everything went fine, took back up of odbc.ini, made entry and saved the file. So to test this connection I ran the libname statement in SAS Enterprise Guide 6.1. It throwed following error. Error Message: My DB team showed that they are able to login 14 GOPTIONS ACCESSIBLE; 15 LIBNAME test ODBC DATASRC=SGE_DS SCHEMA=VST USER=sales PASSWORD=XXXXXXXXX; ERROR: CLI error trying to establish connection: [SAS/ACCESS to SQL Server][ODBC SQL Server Legacy Driver][SQL Server]Login failed for user 'sales'. Solution: First I suspected that Login failed for user 'sales' meant the password provided by DB team was wrong. They responded that they were able to login wi

Insufficient authorization to access PIPE error in SAS EG

Issue: When I tried to run SAS code in SAS Enterprise Guide it throws following errors: ERROR: Insufficient authorization to access PIPE. ERROR: Error in the FILENAME statement. Screenshot of error: Solution: This error occurs when you try to run OS commands in SAS code. To run the OS commands in SAS code you need to enable XCMD option. You check it in SAS Management Console by following below steps. Open SMC -> Expand Servers -> Expand In SASApp , expand Logical Workspace Server -> right click on Workspace Server. Click properties -> option tab -> advanced options -> launch properties. Check whether Allow XCMD is checked. The issue arises if the Allow XCMD is not checked. In above image, Allow XCMD option is not checked. It should be checked to run OS commands from SAS code. In Unix /Linux machines, this XCMD option can be enabled by using system option XCMD in sasv9 config file or workspaceserver.sh script file. Us

SAS Platform Admin Blog

Search This Blog