This page explains how to set configurations for using Kerberos. We update the following files:

├── conf
   ├── core-site.xml
   └── krb5.conf
├── ranger-key
├── ranger-conf
   ├── core-site.xml
   ├── krb5.conf
   ├── ranger-admin-site.xml.append
   └── solr-security.json
└── timeline-conf
    ├── krb5.conf
    └── yarn-site.xml

conf/core-site.xml and ranger-conf/core-site.xml

Set the configuration key to kerberos.

$ vi conf/core-site.xml ranger-conf/core-site.xml


conf/krb5.conf, ranger-conf/krb5.conf, timeline-conf/krb5.conf

Update krb5.conf which contains the information for Kerberos configuration.

$ vi conf/krb5.conf ranger-conf/krb5.conf timeline-conf/krb5.conf

  dns_lookup_realm = false
  ticket_lifetime = 24h
  forwardable = true
  rdns = false
  default_realm = PL
  default_ccache_name = /tmp/krb5cc_%{uid}

  PL = {
    admin_server =
    kdc =


Set the following variables to Kerberos principals for Ranger.

$ vi ranger-key/



The environment variable SOLR_AUTHENTICATION_OPTS should use the host running Ranger, the SPNEGO service principal, and its service keytab.

$ vi kubernetes/ranger-key/

-Dsolr.kerberos.cookie.domain=orange1 \
-Dsolr.kerberos.principal=HTTP/orange1@PL \


Set the configuration key xasecure.audit.jaas.Client.option.principal to admin service principal for Ranger.

$ vi ranger-conf/ranger-admin-site.xml.append



This file sets the configuration for authentication and authorization in Solr used by Ranger. The user-role section should specify the service principal for HiveServer2 and the admin service principal for Ranger.

$ vi ranger-conf/solr-security.json

  "authentication": {
    "class": ""
  "authorization": {
    "class": "solr.RuleBasedAuthorizationPlugin",
    "permissions": [
        "name": "update",
        "role": "updater"
        "name": "read",
        "role": "reader"
        "name": "*",
        "role": "admin"
    "user-role": {
      "hive/orange1@PL": "updater",
      "rangeradmin/orange1@PL": "reader",


Set the configuration key yarn.timeline-service.http-authentication.type to kerberos. Use a Kerberos keytab file to configure authentication as shown below.



Using Kerberos-based authentication for MR3-UI is optional and can be disabled independently of the configuration of Hive on MR3. In order not to use Kerberos-based authentication for MR3-UI, set the configuration key yarn.timeline-service.http-authentication.type to simple.

Configuring Ranger

In the Ranger service, fill the JDBC URL field with:

  • jdbc:hive2://orange1:9852/;principal=hive/orange1@PL;

Running queries

For sending queries to the public HiveServer2, the user should obtain a valid Kerberos ticket and use JDBC URL:

  • jdbc:hive2://orange1:9852/;principal=hive/orange1@PL;

Accessing MR3-UI

To access MR3-UI, the web browser should be configured to establish a secure connection with the Timeline Server by passing a Kerberos ticket. See Running MR3-UI for details.