On deployments of the Hive metastore where a farm of servers is fronted by a VIP, the hostname of the VIP (e.g. mycluster-hcat.blue.myth.net) will differ from the actual boxen in the farm (.e.g mycluster-hcat-[0..3].blue.myth.net).
Such a deployment messes up Kerberos auth, with principals like hcat/mycluster-hcat.blue.myth.net@GRID.MYTH.NET. Host-based checks will disallow servers behind the VIP from using the VIP's hostname in its principal when accessing, say, HDFS.
The solution would be to decouple the server-side principal (used to access other services like HDFS as a client) from the client-facing principal (used from Hive-client, BeeLine, etc.).