java代码连接Hive(开启Kerberos和sentry)

在开启Kerberos认证之后，用户需要进入登入Hive CLI或beeline需要用到keytab。为此，我们现在Kerberos数据库中创建user1和user2两个principal。

生成user1和user2的keytab

kadmin.local:  xst -norandkey -k user1.keytab user1
Entry for principal user1 with kvno 1, encryption type aes128-cts-hmac-sha1-96 added to keytab WRFILE:user1.keytab.
Entry for principal user1 with kvno 1, encryption type des3-cbc-sha1 added to keytab WRFILE:user1.keytab.
Entry for principal user1 with kvno 1, encryption type arcfour-hmac added to keytab WRFILE:user1.keytab.
Entry for principal user1 with kvno 1, encryption type camellia256-cts-cmac added to keytab WRFILE:user1.keytab.
Entry for principal user1 with kvno 1, encryption type camellia128-cts-cmac added to keytab WRFILE:user1.keytab.
Entry for principal user1 with kvno 1, encryption type des-hmac-sha1 added to keytab WRFILE:user1.keytab.
Entry for principal user1 with kvno 1, encryption type des-cbc-md5 added to keytab WRFILE:user1.keytab.
kadmin.local:  xst -norandkey -k user2.keytab user2
Entry for principal user2 with kvno 1, encryption type aes128-cts-hmac-sha1-96 added to keytab WRFILE:user2.keytab.
Entry for principal user2 with kvno 1, encryption type des3-cbc-sha1 added to keytab WRFILE:user2.keytab.
Entry for principal user2 with kvno 1, encryption type arcfour-hmac added to keytab WRFILE:user2.keytab.
Entry for principal user2 with kvno 1, encryption type camellia256-cts-cmac added to keytab WRFILE:user2.keytab.
Entry for principal user2 with kvno 1, encryption type camellia128-cts-cmac added to keytab WRFILE:user2.keytab.
Entry for principal user2 with kvno 1, encryption type des-hmac-sha1 added to keytab WRFILE:user2.keytab.
Entry for principal user2 with kvno 1, encryption type des-cbc-md5 added to keytab WRFILE:user2.keytab.

由于已经在Hive CLI中创建了db1和db2两个数据库，其中在db1创建了table1，在db2中创建了table1和table2，并把db1的角色赋给了user1，db2的角色赋给了user2。这样user1通过beeline只能看到db1和db1中的table1，同样user2只能看到db2和db2中的table1和table2。
beeline通过下面语句连接

 beeline -u "jdbc:hive2://hxmaster:10000/;principal=hive/hxmaster@ANDREW.COM"

由于是从本地连接集群，所以需要将生成的user1.keytab和user2.keytab以及/etc/krb5.conf拷贝到本地随便一个目录，这里选择”D:/keytab”这个目录
这样，我们就可以在本地IntelliJ环境下编写java程序连接hive了，由于需要用到hive-jdbc和hadoop-client两个jar包提供运行环境，我们把它们加入到build.sbt文件中。

libraryDependencies += "org.apache.hive" % "hive-jdbc" % "1.1.0"

libraryDependencies += "org.apache.hadoop" % "hadoop-client" % "2.6.5"

一切就绪，我们就可以通过以下代码查询user1在hive中的表

import org.apache.hadoop.conf.Configuration;
import org.apache.hadoop.security.UserGroupInformation;

import java.sql.Connection;
import java.sql.DriverManager;
import java.sql.PreparedStatement;
import java.sql.ResultSet;

public class KBSimple {
    private static String JDBC_DRIVER = "org.apache.hive.jdbc.HiveDriver";
    private static String CONNECTION_URL ="jdbc:hive2://hxmaster:10000/;principal=hive/[email protected]";

    static {
        try {
            Class.forName(JDBC_DRIVER);

        } catch (ClassNotFoundException e) {
            e.printStackTrace();
        }
    }

    public static void main(String[] args) throws Exception  {
        Class.forName(JDBC_DRIVER);

        //登录Kerberos账号
        System.setProperty("java.security.krb5.conf", "D:\\keytab\\krb5.conf");

        Configuration configuration = new Configuration();
        configuration.set("hadoop.security.authentication" , "Kerberos" );
        UserGroupInformation. setConfiguration(configuration);
        UserGroupInformation.loginUserFromKeytab("[email protected]",
                "D:\\keytab\\user1.keytab");

        Connection connection = null;
        ResultSet rs = null;
        PreparedStatement ps = null;
        try {
            connection = DriverManager.getConnection(CONNECTION_URL);
            ps = connection.prepareStatement("select * from db1.table1");
            rs = ps.executeQuery();
            while (rs.next()) {
                System.out.println(rs.getString(1));
            }
        } catch (Exception e) {
            e.printStackTrace();
        }
    }
}

执行结果如下：

同理，查询一下user2中的table2，代码稍作修改

执行结果如下：