In Hadoop clusters, delegation tokens are a lightweight authentication solution that allow connections the benefits of Kerberos authentication without requiring constant contact with the Kerberos Key Distribution Center (KDC) for user ticket validations and service ticket requests. For delegation token authentication, a single connection authenticates to the KDC and retrieves the delegation token from the server. That delegation token can then be shared among other connection to authenticate user requests without requiring additional requests to the KDC.

To use Hadoop delegation token authentication, you must modify your connection code to perform the following:

  1. Connect using Kerberos authentication with a keytab or ticket cache. For example: 
    Connection kerbCon = DriverManager.getConnection
("jdbc:datadirect:hive://myHiveHost:10000;databaseName=myHiveDB;
 AuthenticationMethod=kerberos;ServicePrincipalName=hive/myHiveHost@MY.KERB.DOMAIN.COM");

    See "Configuring the driver for Keberos authentication" for an overview of standard Kerberos authentication.

  2. Cast the connection to the DataDirect ExtDelegationTokenConnection class. Then call the method to get the token string from the driver and store it in your application. For example: 
    String token = (com.ddtek.jdbc.extensions.ExtDelegationTokenConnection)kerbCon.getDelegationToken
 ("<owner>", "<renewer_name>");
    where:
    owner
    is the owner who supplied the Kerberos ticket at connection. For example, if you executed the kinit command with myUser@myDomain.com, this value would be myUser.
    renewer_name
    is the user that makes the renewDelegationToken call, if you want to use renewable tokens. However, if you do not want to renew tokens, then this string can any be any other value. In this scenario, the token can still be used for authentication, but it will not be renewable.
  3. Connect using a new connection string that specifies:
    • Using the AuthenticationMethod property, the DelegationToken value.
    • Using the SASLQOP property, the quality of protection used on the server for SASL mechanisms. The default is auth.
    • Using the DelegationToken property, the delegation token value.
    For example: 
    Connection tokenCon = DriverManager.getConnection
 ("jdbc:datadirect:hive://myHiveHost:10000;DatabaseName=myHiveDB;
   AuthenticationMethod=delegationToken;SASLQOP=auth-conf;DelegationToken=" + token);
  4. To renew tokens, call the renewDelegationToken method on the connection that originally authenticated to Kerberos. For example:
    ((com.ddtek.jdbc.extensions.ExtDelegationTokenConnection)con).renewDelegationToken(token);
  5. To cancel tokens, call the cancelDelegationToken method on the connection that originally authenticated to Kerberos. For example: 
    ((com.ddtek.jdbc.extensions.ExtDelegationTokenConnection)con).cancelDelegationToken(token);