DBeaver + Windows + Kerberos – Trouble shooting.

How to Troubleshoot DBeaver (On windows) with Kerberos/Ranger integration

Dbeaver can be a little tricky to work with.  It’s error messages are just exceptions from Java and haven’t been translated into a “SQL writer” friendly translation.  This can leave some users scratching their heads as to what to do. Sometimes you’ll even get connected, but claim you don’t have access to a table that you just used yesterday.

This is painful error to get HiveAccessControlException Permission denied user [username] does not have [SELECT] privilege on [TABLE].  How is this possible?  You just used this table yesterday and everything was fine.  You have already check Ranger, and they absolutely have permission to access the table.

Dbeaver error message, showing Ranger access denied error message.
Dbeaver error message

For the following tutorial  we will use a user with the name of “USERNAME”.  

We will be using a windows active directory domain of “my.domain.com”.  This in kerberos speak is called a realm. So if I say “realm” I’m actually just referring to windows active directory domain.  And if I refer to “domain” I mean “realm”. They are for this tutorial interchangeable.

Windows is really handy to work with Kerberos.  If you login on a domain, it will automatically create you a kerberos ticket, and store it in a cache for you.  This is great. But…

CaSe MaTtErS.

Windows is very forgiving and will ignore the case that you use to login.  If you login with “USERNAME” or “username” it will log you in and it won’t care about the case.  As already mentioned it will create you a kerberos ticket. What I glossed over was that it will create a ticket  with whatever case you used to login. So if you login with “USERNAME” you will get a kerberos ticket with “USERNAME” if you login with “username” it will create you a login with “username”.  This is a problem because kerberos cares about case, and sees “username” as a different user than “USERNAME”. There are arguments for which side is more ridiculous in this integration of windows & kerberos, but we’ll set that aside and talk about what to do to make it work.

What case should I log in with so that it works with kerberos?

  1. Bring up a Command prompt
    1. Login to windows.  
    2. Press the [windows button] 
    3. type ‘CMD’, 
    4. press [enter] or [return]  
  2. Run the command “whoami” 
    1. type ‘whoami’, 
    2. press [enter] or [return]  
  3. This will list provide the username that is listed in Active directory.  (Regardless of the case that you used to login.) This will be the [domain]/[username] (and correct case) that Kerberos will expect.
  4. Once you have discovered this correct username, logout of windows and log back in with this username.  (If you are using a VM, and it automatically logs you in, you still need to log out of the actual machine your are working on, not just the VM.  Re-login with the correct case and forget any other cases of your user name you ever thought of.)

Normal procedure for for logging into DBeaver with user: USERNAME to follow:

Login to your computer with USERNAME. (yes the Mac/windows machine you work with. )

Close Dbeaver, Open Dbeaver.  -> everything should work.

The most common fix for any issue with DBeaver:

Close and re-open DBeaver.  (DBeaver is ‘sticky’ and won’t use new credentials without being closed/opened.  Credentials typically expire every 24 hours. So close and open DBeaver often fixes most issues.)

New users often have this issue:

They login to their computer with username. (and their hadoop recognized user as USERNAME) (or vice versa), no amount of opening/closing DBEAVER will help as the credentials are in the incorrect case.

Often simply logging out of your laptop, trying to login as the opposite case username/USERNAME and closing/re-open DBeaver fixes the issue.

If the above doesn’t work this will work:

Read the above section “What case should I log in with so that it works with kerberos?”

(click on the windows button in the lower left hand corner of the screen)

(Type ‘cmd’ and press ‘Enter’ or ‘Return’) . This will launch a black terminal screen.

In to the terminal:

(type klist and press ‘Enter’ or ‘Return’) This will show you what is in your kerberos credential cache.(kerberos token)

Compare this to your whoami.  You will see some differences.  In KLIST your username will display the full REALM. Example:  “USERNAME @ MY.DOMAIN.COM.”

With whoami it will show you the short version of your realm Example: “MY/USERNAME”

Kerberos tool output from windows CMD
kerberos tools on windows

Hopefully this will help you to be able to login to DBeaver with Good Kerberos Credentials.

Some machines will let you use a program called kinit to correct your credentials.  Look this up for more information on how to fix your computer without logging our and back in.  As this doesn’t consistently work between windows versions I only mention it here instead of explaining it in detail.  Logging out and in will correct the kerberos ticket so please use that as it works for the most reliably.

« »

Recent Articles

Apache Kafka – 5 Best Practices tips
Apache Kafka – 5 Best Practices tips

Apache Kafka can be a powerful tool for your data streams, but if the environment is not favorable,  it could …
Read more

Rebalancing a Datanode in Hadoop 2.0 when the cluster is balanced
Rebalancing a Datanode in Hadoop 2.0 when the cluster is balanced

Your cluster is balanced but your Datanode is not balanced. Maybe you lost a drive, added drives, or deleted and …
Read more

Cloudera Data Platform on Amazon vs Amazon EMR vs Amazon Roll your own.
Cloudera Data Platform on Amazon vs Amazon EMR vs Amazon Roll your own.

This week I spent some time looking at Cloudera Data Platform(CDP) in the cloud and how it stacks up against …
Read more