MapR 5.0 Documentation : Configure Hive Metastore to Use Kerberos Authentication

  1. Configure the following properties in hive-site.xml (/opt/mapr/hive/hive-<version>/conf/hive-site.xml):

    PropertyValue

    hive.metastore.kerberos.keytab.file 

    <The Keytab file that contains the HiveMetastore principle.>
    hive.metastore.kerberos.principal<The HiveMetastore principal. For example, mapr/<FQDN@REALM>.>
    <property>
      <name>hive.metastore.kerberos.keytab.file</name>
      <value>/opt/mapr/conf/metastore.keytab</value>
      <description>The path to the Kerberos Keytab file containing the metastore thrift server's service principal.</description>			
    </property>
    <property>
      <name>hive.metastore.kerberos.principal</name>
      <value>mapr/<FQDN@REALM></value>
      <description>The service principal for the metastore thrift server. The special string _HOST will be replaced automatically with the correct hostname.</description>
    </property>	
  2. Configure the following properties in /opt/mapr/conf/env.sh on each node where the Hive Metastore is installed:
    • Set MAPR_HIVE_LOGIN _OPTS to "-Dhadoop.login=hybrid"
    • Set MAPR_HIVE_SERVER_LOGIN_OPTS to "-Dhadoop.login=hybrid"

Configuring Hive Metastore Clients to use Kerberos when authenticating with Hive Metastore

Complete the following steps on each node where a Hive Metastore client is installed:

  1. Configure MAPR_HIVE_LOGIN _OPTS to" -Dhadoop.login=hybrid" in /opt/mapr/conf/env.sh.
  2. Configure the following property in hive-site.xml:

    PropertyValue
    hive.metastore.kerberos.principal<The HiveMetastore principal. For example, mapr/<FQDN@REALM>.>
    <property>
      <name>hive.metastore.kerberos.principal</name>
      <value>mapr/<FQDN@REALM></value>
      <description>The service principal for the metastore thrift server. The special string _HOST will be replaced automatically with the correct hostname.</description>
    </property>	  

See Connecting to Hive for details on how to connect to HiveMetastore once the server and client node are configured to use Kerberos.

The MAPR_HIVE_LOGIN_OPTS and MAPR_HIVE_SERVER_LOGIN_OPTS were added in 1504 release of Hive 0.13 and Hive 1.0. If you have Hive 0.13 from a prior release, you do not need to configure these properties. Instead, set MAPR_ECOSYSTEM_LOGIN_OPTS and MAPR_ECOSYSTEM_SERVER_LOGIN_OPTS to "-Dhadoop.login=hybrid" in /opt/mapr/conf/env.sh.