MapR 5.0 Documentation : Configure HiveServer2 to Use Kerberos Authentication

Enabling HiveServer to use Kerberos authentication requires following steps on each node where HiveServer 2 is installed:

  1. Configure the following properties in hive-site.xml on each node where hiveserver2 is installed:

    PropertyValue

    hive.server2.authentication

    KERBEROS

    hive.server2.authentication.kerberos.principal

    <HiveServer2 Principle. For example, mapr/FQDN@REALM>

    hive.server2.authentication.kerberos.keytab

    <The keytab file for the HiverServer2 principle. For example, /opt/mapr/conf/hive.keytab>
    <property>
      <name>hive.server2.authentication</name>
      <value>KERBEROS</value>
      <description>authenticationtype</description>	
    </property>
    <property>
      <name>hive.server2.authentication.kerberos.principal</name>
      <value>mapr/FQDN@REALM</value>
      <description>HiveServer2 principal. If _HOST is used as the FQDN portion, it will be replaced with the actual hostname of the running instance.</description>
    </property>
    <property>
      <name>hive.server2.authentication.kerberos.keytab</name>
      <value>/opt/mapr/conf/hive.keytab</value>
      <description>Keytab file for HiveServer2 principal</description>	
    </property>
  2. Reconfigure following options in env.sh (/opt/mapr/conf/env.sh) on each node where hiveserver2 is installed:

    Existing ConfigurationRequired Configuration

    MAPR_HIVE_SERVER_LOGIN_OPTS="-Dhadoop.login=maprsasl_keytab"
    MAPR_HIVE_LOGIN_OPTS="-Dhadoop.login=maprsasl"

    MAPR_HIVE_SERVER_LOGIN_OPTS="-Dhadoop.login=hybrid"
    MAPR_HIVE_LOGIN_OPTS="-Dhadoop.login=hybrid" 
    These configuration are listed in the portion of the file that begins with if [ "$MAPR_SECURITY_STATUS" = "true" ];
  3. Restart HiveServer2 to apply these changes. 

    maprcli node services -name hs2 -action restart -nodes <comma separated list of nodes>

Configuring HiveServer 2 Clients to use Kerberos when Authenticating with HiveServer2

  • On each node where HiveServer2 clients (not including Beeline) are installed, reconfigure the following option in env.sh (/opt/mapr/conf/env.sh):

    Existing ConfigurationRequired Configuration

    MAPR_HIVE_LOGIN_OPTS="-Dhadoop.login=maprsasl"

    MAPR_HIVE_LOGIN_OPTS="-Dhadoop.login=hybrid" 
    This configuration is listed in the portion of the file that begins with if [ "$MAPR_SECURITY_STATUS" = "true" ]; 
  • On each node where Beeline is installed, reconfigure the following option in beeline.sh ($hive_home/bin/ext/beeline.sh):

    Existing ConfigurationRequired Configuration

    HADOOP_OPTS="$HADOOP_OPTS${MAPR_HIVE_LOGIN_OPTS}"

    HADOOP_OPTS="$HADOOP_OPTS${KERBEROS_LOGIN_OPTS}" 

For more information, see Connecting to Hive.

The MAPR_HIVE_LOGIN_OPTS and MAPR_HIVE_SERVER_LOGIN_OPTS were added in 1504 release of Hive 0.13 and Hive 1.0. If you have Hive 0.13 from a prior release, you do not need to configure these properties. Instead, set MAPR_ECOSYSTEM_LOGIN_OPTS and MAPR_ECOSYSTEM_SERVER_LOGIN_OPTS to "-Dhadoop.login=hybrid" in /opt/mapr/conf/env.sh.