Requirements for using Kerberos

To use Kerberos for authentication in Hive, the user should provide the details of the Kerberos server: 1) Kerberos realm; 2) IP address of the Kerberos admin server; 3) IP address of the KDC (Key Distribution Center). Since Hive uses Ranger for authorization, Ranger internally uses Kerberos as well.

The field HiveServer2 Host Alias should assign an alias for the host name for HiveServer2. The alias is used as the instance in the Kerberos keytab for Hive.

Hive

Hive requires two service principals for 1) public HiveServer2 and 2) internal HiveServer2 (which is not exposed to the outside of the Kubernetes cluster). The service principal for public HiveServer2 is decided by the host alias for HiveServer2 and the Kerberos realm. For example, with host alias hs2domain and Kerberos realm AWS, we have:

  • The service principal in the field Public Service Keytab should be hive/hs2domain@AWS.

The service principal for internal HiveServer2 is decided by the Kerberos realm alone.

  • The service principal in the field Internal Service Keytab should be hive/hiveserver2-internal.hivemr3.svc.cluster.local@AWS.

Ranger

Ranger requires two service principals and a user principal. All the principals are uniquely decided by the Kerberos realm. For example, with Kerberos realm AWS, we have:

  • The Spnego service principal in the field Spnego Service Keytab should be HTTP/ranger.hivemr3.svc.cluster.local@AWS.
  • The admin service principal in the field Admin Service Keytab should be rangeradmin/ranger.hivemr3.svc.cluster.local@AWS.
  • The lookup principal in the field Lookup Keytab should be rangerlookup@AWS.