apache/kyuubi
1
0
Fork 0
Code Issues Pull Requests Actions 5 Packages Projects Releases Wiki Activity
ffbf5303fb
kyuubi/docs/authentication.md
Kent Yao ae85c245d2
Prepare releasing v0.5.0 (#152) 
* Prepare releasing 0.5.0

* update documentations
2019-02-25 12:33:48 +08:00

59 lines
2.5 KiB
Markdown
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

# Kyuubi Authentication/Security Guide
Kyuubi supports Anonymous (no authentication) with and without SASL, Kerberos (GSSAPI), pass through LDAP between the Thrift client and itself.
## Configuration
Name|Default|Description
---|---|---
spark.kyuubi.<br />authentication | NONE | Authentication mode, default NONE. Options are NONE (uses plain SASL), NOSASL, KERBEROS, LDAP.
#### NONE
###### Server
```bash
$KYUUBI_HOME/bin/start-kyuubi.sh --conf spark.kyuubi.authentication=NONE
```
###### Client
```bash
$SPARK_HOME/bin/beeline -u "jdbc:hive2://${replace with spark.kyuubi.frontend.bind.host}:10009/;hive.server2.proxy.user=yaooqinn"
```
#### NOSASL
###### Server
```bash
$KYUUBI_HOME/bin/start-kyuubi.sh --conf spark.kyuubi.authentication=NOSASL
```
###### Client
```bash
$SPARK_HOME/bin/beeline -u "jdbc:hive2://${replace with spark.kyuubi.frontend.bind.host}:10009/;hive.server2.proxy.user=hzyaoqin;auth=noSasl"
```
#### KERBEROS
If you configure Kyuubi to use Kerberos authentication, Kyuubi acquires a Kerberos ticket during startup. Kyuubi requires a principal and keytab file specified in `$SPARK_HOME/conf/spark-defaults.conf`. Client applications (for example, JDBC or Beeline) must have a valid Kerberos ticket before initiating a connection to Kyuubi.
Set following for KERBEROS mode:
- spark.yarn.principal Kerberos principal for Kyuubi server.
- spark.yarn.keytab Keytab for Kyuubi server principal.
**NOTE:**: NONE and NOSASL mode also support these two configurations for Kyuubi to talk with a kerberized cluster only without verifying client accessing via kerberos.
###### Server
```bash
$KYUUBI_HOME/bin/start-kyuubi.sh --conf spark.kyuubi.authentication=KERBEROS
```
###### Client
```bash
$SPARK_HOME/bin/beeline -u "jdbc:hive2://${replace with spark.kyuubi.frontend.bind.host}:10000/;principal=${replace with spark.yarn.principal};hive.server2.proxy.user=yaooqinn"
```
## Additional Documentations
[Building Kyuubi](https://yaooqinn.github.io/kyuubi/docs/building.html)
[Kyuubi Deployment Guide](https://yaooqinn.github.io/kyuubi/docs/deploy.html)
[Kyuubi Containerization Guide](https://yaooqinn.github.io/kyuubi/docs/containerization.html)
[High Availability Guide](https://yaooqinn.github.io/kyuubi/docs/high_availability_guide.html)
[Configuration Guide](https://yaooqinn.github.io/kyuubi/docs/configurations.html)
[Kyuubi ACL Management Guide](https://yaooqinn.github.io/kyuubi/docs/authorization.html)
[Kyuubi Architecture](https://yaooqinn.github.io/kyuubi/docs/architecture.html)
[Home Page](https://yaooqinn.github.io/kyuubi/)
Reference in New Issue View Git Blame Copy Permalink