[GitHub] [incubator-kyuubi] turboFei commented on a change in pull request #1552: [KYUUBI #1550] Provide a specific user guide about connecting to kerberized kyuubi

[GitBox <gi...@apache.org>]

turboFei commented on a change in pull request #1552:
URL: https://github.com/apache/incubator-kyuubi/pull/1552#discussion_r768377654



##########
File path: docs/client/kerberized_kyuubi.md
##########
@@ -0,0 +1,120 @@
+<!--
+ - Licensed to the Apache Software Foundation (ASF) under one or more
+ - contributor license agreements.  See the NOTICE file distributed with
+ - this work for additional information regarding copyright ownership.
+ - The ASF licenses this file to You under the Apache License, Version 2.0
+ - (the "License"); you may not use this file except in compliance with
+ - the License.  You may obtain a copy of the License at
+ -
+ -   http://www.apache.org/licenses/LICENSE-2.0
+ -
+ - Unless required by applicable law or agreed to in writing, software
+ - distributed under the License is distributed on an "AS IS" BASIS,
+ - WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ - See the License for the specific language governing permissions and
+ - limitations under the License.
+ -->
+
+<div align=center>
+
+![](../imgs/kyuubi_logo.png)
+
+</div>
+
+# Access Kerberized Kyuubi with Beeline & BI Tools
+
+## Instructions
+When Kyuubi is secured by Kerberos, we can not connect to Kyuubi simply by providing a JDBC url 
+with username and password.
+Instead, following steps should be taken.
+
+## Installing and Configuring the Kerberos Clients
+Usually, Kerberos client is installed as default. You can validate it using klist tool.
+
+```bash
+$ klist -V
+Kerberos 5 version 1.15.1
+```
+
+If the client is not installed, you should install it ahead based on the OS platform.
+
+`krb5.conf` is a configuration file for tuning up the creation of Kerberos ticket cache.
+The default location is `/etc` on Linux,
+and we can use `KRB5_CONFIG` environmental variable to overwrite the location of the configuration file.
+
+Replace or configure `krb5.conf` to point to the same KDC as Kyuubi points to.
+
+## Get Kerberos Ticket Cache
+Execute `kinit` command to get Kerberos ticket cache from KDC.
+
+Suppose user principal is `kyuubi_user@KYUUBI.APACHE.ORG`, user keytab located at `/etc/security/keytabs/kyuubi_user.keytab`, 
+the command should be:
+
+```bash
+$ kinit -kt /etc/security/keytabs/kyuubi_user.keytab kyuubi_user@KYUUBI.APACHE.ORG
+```
+
+If the command executes successfully, `klist` command output should be like this:
+
+```bash
+$ klist
+
+Ticket cache: FILE:/tmp/krb5cc_1000
+Default principal: kyuubi_user@KYUUBI.APACHE.ORG
+
+Valid starting       Expires              Service principal
+2021-12-13T18:44:58  2021-12-14T04:44:58  krbtgt/KYUUBI.APACHE.ORG@KYUUBI.APACHE.ORG
+    renew until 2021-12-14T18:44:57
+```
+
+**Note**: 
+If Kyuubi is running on the same host, take care not to overwrite the ticket cache file used by Kyuubi.
+As the default ticket cache file is `/tmp/krb5cc_$(id -u)` on Linux, we should either set environment 
+variable `KRB5CCNAME` or switch to another OS user before executing `kinit` command.
+
+## Ensure core-site.xml Exists in Classpath
+Like hadoop clients, `hadoop.security.authentication` should be set to `KERBEROS` in `core-site.xml` 
+to let Hive JDBC driver use Kerberos authentication. `core-site.xml` should be placed under beeline's 

Review comment:
       for beeline, maybe just need append `-Dhadoop.security.authentication=KERBEROS` into KYUUBI_BEELINE_OPTS




-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscribe@kyuubi.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org