Configure Hive Metastore to use Kerberos

Enabling Hive Metastore to use Kerberos authentication requires a kerberos principal, kerberos keytab, and the following configurations.

Complete the following steps on each node where a Hive Metastore is installed:

  1. Create a Kerberos server identity and add it to a keytab file. You can use the following commands in a Linux-based Kerberos environment to set up the identity and update the keytab file:
    Note: MapR clusters do not provide Kerberos infrastructure. The tips in this step assume a Linux-based Kerberos environment, and the specific commands for your environment may vary. Consult with your Kerberos administrator for assistance.
    # kadmin
        : addprinc -randkey username/<FQDN@REALM>
        : ktadd -k /opt/mapr/conf/hive.keytab username/<FQDN@REALM>

    The hive.keytab file must be owned and readable only by the mapr user.

  2. Configure the following properties in the following file:
    Property Value
    The Keytab file that contains the HiveMetastore principal.
    <The HiveMetastore principal. For example, mapr/<FQDN@REALM>.>
      <description>The path to the Kerberos Keytab file containing the metastore thrift server's service principal.</description>                   
      <description>The service principal for the metastore thrift server. The special string _HOST will be replaced automatically with the correct hostname.</description>
  3. Configure the following properties in /opt/mapr/conf/ on each node where the Hive Metastore is installed: