oracle big data sql and kerberos FAQ





Big Data SQL and Kerberos Frequently Asked Questions (FAQ) (Doc ID 2083960.1)
To Bottom
In this Document

Purpose

 

Questions and Answers

 

Do Oracle Big Data SQL queries run on the Hadoop cluster as the owner of the Oracle Database process?

 

What about a ticket for each BDS server process running on the BDA?

 

Where is the documentation on how to enable BDA access to a Kerberized Cluster?

 

Is it ok to run a cron job to run ‘kinit’ on the BDA?

 

When there is no ticket for BDS on the BDA will queries automatically be transferred to quarantine?

 

Does BDS on the BDA read any data from HDFS if the service does not have a ticket?

 

How are Kerberos tickets used on Exadata?

 

What about the case of connecting via Beeline?

 

If Big Data SQL queries fail with any kind of “No valid credentials provided” error, even if Kerberos tickets seem valid, is there a way to check the Kerberos Environment Variables?

 

Where is the documentation on how to secure Big Data SQL with a Kerberized Cluster?

 

Are there any related MOS notes to check for additional information?

 

References

 

APPLIES TO:

Oracle Big Data SQL – Version 2.0 and later
Linux x86-64

PURPOSE

This document provides an FAQ on how Oracle Big Data SQL (BDS) and Kerberos work together.

QUESTIONS AND ANSWERS

Do Oracle Big Data SQL queries run on the Hadoop cluster as the owner of the Oracle Database process?

Yes. Oracle Big Data SQL queries will run on the Hadoop cluster as the owner of the Oracle Database process (i.e. the oracle user). Therefore, the oracle user needs a valid Kerberos ticket in order to access data. This ticket is required for every Oracle Database instance that is accessing the cluster.

What about a ticket for each BDS server process running on the BDA?

Yes. A valid ticket is also needed for each Big Data SQL Server process running on the Oracle Big Data Appliance

Where is the documentation on how to enable BDA access to a Kerberized Cluster?

See Section: 6.2.4 Enabling Oracle Big Data SQL Access to a Kerberized Cluster of the Big Data Appliance V4.3 Software User’s Guide.

Is it ok to run a cron job to run ‘kinit’ on the BDA?

Yes. You can write a cron job to “kinit” the BDS service.

When there is no ticket for BDS on the BDA will queries automatically be transferred to quarantine?

A quarantine stops faulty SQL statements from performing a Smart Scan. This reduces software crashes,  and improves storage availability. So if there is no ticket, queries will be transferred to quarantine.

Does BDS on the BDA read any data from HDFS if the service does not have a ticket?

If BDS does not have a valid ticket, it can not be trusted. Therefore, it will not be able to to read anything from HDFS or Hive.

How are Kerberos tickets used on Exadata?

For details see: How does Oracle Big Data SQL V2.0 use Kerberos Tickets on Exadata (Doc ID 2083982.1).

What about the case of connecting via Beeline?

If connecting via Beeline, the user that launches beeline needs a valid kerberos ticket. Otherwise, the query will fail.

If Big Data SQL queries fail with any kind of “No valid credentials provided” error, even if Kerberos tickets seem valid, is there a way to check the Kerberos Environment Variables?

Yes. Debug printing of Kerberos related environment variables is available in the Java logging.

Enable INFO level logging for the oracle.hadoop.sql.JXADProvider class, or skip if already configured.

Add this line to the bigdata-log4j.properties file and restart the JVM.

log4j.logger.oracle.hadoop.sql.JXADProvider=INFO

In the log file look for a line “Kerberos env vars”. If any of the following variables are defined they will be printed with values. If none of them are defined then this line will not be present.

“KRB5_CONFIG”,
“KRB5_KDC_PROFILE”,
“KRB5_KTNAME”,
“KRB5_CLIENT_KTNAME”,
“KRB5CCNAME”,
“KRB5RCACHETYPE”,
“KRB5RCACHEDIR”,
“KPROP_PORT”,
“KRB5_TRACE”

KRB5CCNAME is the one that java uses.

Where is the documentation on how to secure Big Data SQL with a Kerberized Cluster?

See Chapter 6 Securing Big Data SQL of the Big Data SQL Installation Guide. For BDS 3.1, that is in the 3.1 Securing Big Data SQL chapter.

Are there any related MOS notes to check for additional information?

Yes, see: Troubleshooting Big Data SQL Query Failures in the Exadata Environment (2130290.1).

 

Author: admin