MapR 5.0 Documentation : Authentication for Hive Metastore

You can configure authentication for in-bound client connections to the Hive Metastore when the metastore is remote, not embedded. Clients of Hive Metastore include the HiveCLI, HCatalog, HiveServer2, and WebHCat. 

Hive Metastore supports the following authentication methods:

To configure  authentication for Hive Metastore, add following property to hive-site.xml:

<property>
	<name>hive.metastore.sasl.enabled</name>
	<value>true</value>
	<description>if true, the metastore thrift interface will be secured with SASL.</description>
</property>

MapR-SASL Authentication

MapR-SASL is available starting with the 1504 release of Hive 0.13 and Hive 1.0 and it is the default authentication method when the cluster is secure.

Configuring Hive Metastore to use MapR-SASL

When the cluster is secure, the following default settings in /opt/mapr/conf/env.sh configure the node to use MapR-SASL:

  • MAPR_HIVE_LOGIN _OPTS="-Dhadoop.login=maprsasl"
  • MAPR_HIVE_SERVER_LOGIN_OPTS="-Dhadoop.login=maprsasl_keytab"

Configuring  Hive Metastore Clients to use MapR-SASL when authenticating with Hive Metastore

When the cluster is secure, the following default settings in /opt/mapr/conf/env.sh configure the node to use MapR-SASL

  • MAPR_HIVE_LOGIN _OPTS="-Dhadoop.login=maprsasl"

Hive Metastore clients must provide a valid MapR ticket  to connect to the Hive Metastore. See Connecting to Hive for details.

Kerberos Authentication

When the cluster is secure,  you can configure Hive Metastore to use Kerberos authentication. You must also configure Hive Metastore clients to use Kerberos when authenticating with Hive Metastore.

Configuring Hive Metastore to use Kerberos

Enabling Hive Metastore to use Kerberos authentication requires a kerberos principal, kerberos keytab, and the following configurations. 

Complete the following steps on each node where a Hive Metastore is installed:

  1. Create a Kerberos server identity and add it to a keytab file. 

    MapR clusters do not provide Kerberos infrastructure. The tips in this step assume a Linux-based Kerberos environment, and the specific commands for your environment may vary. Consult with your Kerberos administrator for assistance.

    You can use the following commands in a Linux-based Kerberos environment to set up the identity and update the keytab file:

    # kadmin
        : addprinc -randkey username/<FQDN@REALM>
        : ktadd -k /opt/mapr/conf/hive.keytab username/<FQDN@REALM>

    The hive.keytab file must be owned and readable only by the mapr user.

  2. Configure the following properties in hive-site.xml (/opt/mapr/hive/hive-<version>/conf/hive-site.xml):

    PropertyValue

    hive.metastore.kerberos.keytab.file 

    The Keytab file that contains the HiveMetastore principal.
    hive.metastore.kerberos.principalThe HiveMetastore principal. For example, mapr/<FQDN@REALM>.
    <property>
      <name>hive.metastore.kerberos.keytab.file</name>
      <value>/opt/mapr/conf/metastore.keytab</value>
      <description>The path to the Kerberos Keytab file containing the metastore thrift server's service principal.</description>			
    </property>
    <property>
      <name>hive.metastore.kerberos.principal</name>
      <value>mapr/<FQDN@REALM></value>
      <description>The service principal for the metastore thrift server. The special string _HOST will be replaced automatically with the correct hostname.</description>
    </property>	
  3. Configure the following properties in /opt/mapr/conf/env.sh on each node where the Hive Metastore is installed:
    • Set MAPR_HIVE_LOGIN _OPTS to "-Dhadoop.login=hybrid"
    • Set MAPR_HIVE_SERVER_LOGIN_OPTS to "-Dhadoop.login=hybrid"

Configuring Hive Metastore Clients to use Kerberos when authenticating with Hive Metastore

Complete the following steps on each node where a Hive Metastore client is installed:

  1. Configure MAPR_HIVE_LOGIN _OPTS to" -Dhadoop.login=hybrid" in /opt/mapr/conf/env.sh.
  2. Configure the following property in hive-site.xml:

    PropertyValue
    hive.metastore.kerberos.principal<The HiveMetastore principal. For example, mapr/<FQDN@REALM>.>
    <property>
      <name>hive.metastore.kerberos.principal</name>
      <value>mapr/<FQDN@REALM></value>
      <description>The service principal for the metastore thrift server. The special string _HOST will be replaced automatically with the correct hostname.</description>
    </property>	  

See Connecting to Hive for details on how to connect to HiveMetastore once the server and client node are configured to use Kerberos.

The MAPR_HIVE_LOGIN_OPTS and MAPR_HIVE_SERVER_LOGIN_OPTS were added in 1504 release of Hive 0.13 and Hive 1.0. If you have Hive 0.13 from a prior release, you do not need to configure these properties. Instead, set MAPR_ECOSYSTEM_LOGIN_OPTS and MAPR_ECOSYSTEM_SERVER_LOGIN_OPTS to "-Dhadoop.login=hybrid" in /opt/mapr/conf/env.sh.