This page explains additional steps for using Kerberos for authentication in Hive on MR3.

Kerberos keytabs

In our example, we assume that orange1 is the host name assigned to the Services for HiveServer2, Ranger, and MR3-UI/Grafana, and that PL is the Kerberos realm.

Create a Kerberos keytab file for service principal hive/orange1@PL. In our example, we create a keytab file hive-orange1.keytab.

For accessing Kerberized HDFS, the user should create a keytab file with a user principal. For example, we can create a keytab file hive.keytab for principal hive@PL.

Copy all keytab files in the directories key and timeline-key.

$ ls key/*.keytab
key/hive.keytab  key/hive-orange1.keytab

$ ls timeline-key/*.keytab
key/hive.keytab  key/hive-orange1.keytab

For Ranger, create three Kerberos keytab files with exactly the following names and copy them in the directory ranger-key.

  • rangeradmin.keytab with admin service principal rangeradmin/orange1@PL
  • spnego.service.keytab with SPNEGO service principal HTTP/orange1@PL
  • rangerlookup.keytab with lookup principal rangerlookup@PL
$ ls ranger-key/*.keytab
ranger-key/rangeradmin.keytab  ranger-key/rangerlookup.keytab  ranger-key/spnego.service.keytab

values-hive.yaml

Update values-hive.yaml as follows:

$ vi values-hive.yaml

metastore:
  secureMode: true
  kerberosPrincipal: hive/orange1@PL
  kerberosKeytab: "hive-orange1.keytab"

hive:
  createSecret: true
  authentication: KERBEROS
  kerberosPrincipal: hive/orange1@PL
  kerberosKeytab: "hive-orange1.keytab"
  • Since Metastore uses Kerberos-based authentication, set metastore/secureMode to true. metastore/kerberosPrincipal and metastore/kerberosKeytab specify the service principal name and the service keytab file, respectively.
  • hive/createSecret specifies whether or not to create a Secret from files in the directory key and should be set to true.
  • Since HiveServer2 uses Kerberos-based authentication, set hive/authentication to KERBEROS. hive/kerberosPrincipal and hive/kerberosKeytab specify the service principal name and the service keytab file, respectively.

For accessing Kerberized HDFS, set the following variables. See Accessing Kerberized HDFS for additional steps.

$ vi values-hive.yaml

hdfs:
  userPrincipal: hive@PL
  userKeytab: "hive.keytab"
  tokenRenewalEnabled: true
  • hdfs/userPrincipal specifies the principal name to use when renewing HDFS tokens.
  • hdfs/userKeytab specifies the name of the keytab file.
  • hdfs/tokenRenewalEnabled should be set to true in order to automatically renew HDFS tokens.

values-ranger.yaml and values-timeline.yaml

Update values-ranger.yaml and values-timeline.yaml to create Secrets from files in the directories ranger-key and timeline-key.

$ vi values-ranger.yaml

ranger:
  createSecret: true

$ vi values-timeline.yaml

timeline:
  createSecret: true

Configuring for Kerberos

Follow the instructions in Configuring for Kerberos.

Calendar Feb 23, 2023