You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@hive.apache.org by "Mithun Radhakrishnan (JIRA)" <ji...@apache.org> on 2017/09/08 22:21:00 UTC

[jira] [Created] (HIVE-17489) Separate client-facing and server-side Kerberos principals, to support HA

Mithun Radhakrishnan created HIVE-17489:
-------------------------------------------

             Summary: Separate client-facing and server-side Kerberos principals, to support HA
                 Key: HIVE-17489
                 URL: https://issues.apache.org/jira/browse/HIVE-17489
             Project: Hive
          Issue Type: Bug
          Components: Metastore
            Reporter: Mithun Radhakrishnan
            Assignee: Thiruvel Thirumoolan


On deployments of the Hive metastore where a farm of servers is fronted by a VIP, the hostname of the VIP (e.g. {{mycluster-hcat.blue.myth.net}}) will differ from the actual boxen in the farm (.e.g {{mycluster-hcat-\[0..3\].blue.myth.net}}).

Such a deployment messes up Kerberos auth, with principals like {{hcat/mycluster-hcat.blue.myth.net@GRID.MYTH.NET}}. Host-based checks will disallow servers behind the VIP from using the VIP's hostname in its principal when accessing, say, HDFS.

The solution would be to decouple the server-side principal (used to access other services like HDFS as a client) from the client-facing principal (used from Hive-client, BeeLine, etc.).



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)