Kerberos
Kerberos is a network authentication protocol that provides a secure way to authenticate clients and servers over an insecure network.
The Big Data Tools plugin allows you to use Kerberos to authenticate connections to Kafka, HDFS, and Hive Metastore.
In the Big Data Tools tool window, click
and select Kafka. Or, if you want to edit an existing connection, select it and click
.
Open the Kerberos settings: In the Configuration source, select Custom, and, under Authentication, select SASL | Kerberos.
In the Krb5 Config box, select your krb5.conf or krb5.ini file or click Per IDE <a>Detect</a> to let PyCharm detect it in default locations.
note
The path to a krb5.conf file is a global setting. It applies to all other connections that use Kerberos in your IDE. You can also access global Kerberos settings in Settings | Appearance & Behavior | System Settings | Kerberos Authentication.
If you want to use the Kerberos ticket cache created by the kinit tool, select Use kinit cache.
Otherwise, clear the Use kinit cache checkbox and provide authentication data:
In the Principal box, enter your Kerberos principal, such as john@EXAMPLE.ORG.
In the Keytab box, specify a path to the keytab file.
![https://resources.jetbrains.com/help/img/idea/2023.2/big_data_tools_kerberos_kafka.png](https://resources.jetbrains.com/help/img/idea/2023.2/big_data_tools_kerberos_kafka.png)
tip
Alternatively, you can set up Kerberos connection using configuration properties. Switch to Properties in Configuration source and add the needed properties, for example:
sasl.kerberos.service.name=kafka security.protocol=SASL_PLAINTEXT sasl.mechanism=GSSAPI sasl.jaas.config=com.sun.security.auth.module.Krb5LoginModule required useKeyTab=true keyTab="/etc/security/keytabs/john.keytab" principal="john@EXAMPLE.COM";
In the Big Data Tools window, click
and select HDFS. Or, if you want to edit an existing connection, select it and click
.
Open the Kerberos settings: In the Configuration source, select Custom, and, under Authentication, select Kerberos.
In the Krb5 Config box, select your krb5.conf or krb5.ini file or click Per IDE <a>Detect</a> to let PyCharm detect it in default locations.
note
The path to a krb5.conf file is a global setting. It applies to all other connections that use Kerberos in your IDE. You can also access global Kerberos settings in Settings | Appearance & Behavior | System Settings | Kerberos Authentication.
If you want to use the Kerberos ticket cache created by the kinit tool, select Use kinit cache.
Otherwise, clear the Use kinit cache checkbox and provide authentication data:
In the Authentication by, select the authentication method:
Keytab: enter your Kerberos principal, such as john@EXAMPLE.ORG, and a path to the keytab file.
Password: enter your Kerberos principal, such as john@EXAMPLE.ORG, and the principal password.
JAAS config: specify the path to the JAAS Login Configuration File. PyCharm detects JAAS entries in the file, and you can then select the one you want to use for authentication in the JAAS entry list. Alternatively, click Generate JAAS entry to generate a new JAAS entry and add it to the file.
note
The path to a JAAS Login Configuration File is a global setting. It applies to all HDFS connections that use Kerberos in your IDE.
In the Big Data Tools window, click
and select Hive. Or, if you want to edit an existing connection, select it and click
.
Open the Kerberos settings: In the Configuration source, select Custom, and, under Authentication, select Kerberos.
In the Krb5 Config box, select your krb5.conf or krb5.ini file or click Per IDE <a>Detect</a> to let PyCharm detect it in default locations.
note
The path to a krb5.conf file is a global setting. It applies to all other connections that use Kerberos in your IDE. You can also access global Kerberos settings in Settings | Appearance & Behavior | System Settings | Kerberos Authentication.
If you want to use the Kerberos ticket cache created by the kinit tool, select Use kinit cache.
Otherwise, clear the Use kinit cache checkbox and provide authentication data:
In the Principal box, enter your Kerberos principal, such as john@EXAMPLE.ORG
In the Keytab box, specify a path to the keytab file.
If you have issues with Kerberos authentication, you can enable logging of Kerberos and Java Generic Security Services (JGSS) debug messages. The logs are then available in Help | Show Log in Finder and Help | Open Log in Editor.
In the Settings dialog (CtrlAlt0S), go to Appearance & Behavior | System Settings | Kerberos Authentication.
Select the Kerberos debug logging and JGSS debug logging checkboxes.
Thanks for your feedback!