Uploaded image for project: 'Hive'
  1. Hive
  2. HIVE-17489

Separate client-facing and server-side Kerberos principals, to support HA

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: 3.0.0, 2.4.0, 2.2.1
    • Component/s: Metastore
    • Labels:
      None

      Description

      On deployments of the Hive metastore where a farm of servers is fronted by a VIP, the hostname of the VIP (e.g. mycluster-hcat.blue.myth.net) will differ from the actual boxen in the farm (.e.g mycluster-hcat-[0..3].blue.myth.net).

      Such a deployment messes up Kerberos auth, with principals like hcat/mycluster-hcat.blue.myth.net@GRID.MYTH.NET. Host-based checks will disallow servers behind the VIP from using the VIP's hostname in its principal when accessing, say, HDFS.

      The solution would be to decouple the server-side principal (used to access other services like HDFS as a client) from the client-facing principal (used from Hive-client, BeeLine, etc.).

        Attachments

        1. HIVE-17489.4.patch
          13 kB
          Mithun Radhakrishnan
        2. HIVE-17489.4-branch-2.patch
          9 kB
          Mithun Radhakrishnan
        3. HIVE-17489.3.patch
          13 kB
          Mithun Radhakrishnan
        4. HIVE-17489.3-branch-2.patch
          9 kB
          Mithun Radhakrishnan
        5. HIVE-17489.2.patch
          12 kB
          Mithun Radhakrishnan
        6. HIVE-17489.2-branch-2.patch
          8 kB
          Mithun Radhakrishnan
        7. HIVE-17489.2.patch
          12 kB
          Mithun Radhakrishnan

          Activity

            People

            • Assignee:
              thiruvel Thiruvel Thirumoolan
              Reporter:
              mithun Mithun Radhakrishnan
            • Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: