[HIVE-17489] Separate client-facing and server-side Kerberos principals, to support HA - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Bug
Status: Closed
Priority: Major
Resolution: Fixed
Affects Version/s: None
Fix Version/s: 2.2.1, 2.4.0, 3.0.0
Component/s: Metastore
Labels:
None

Description

On deployments of the Hive metastore where a farm of servers is fronted by a VIP, the hostname of the VIP (e.g. mycluster-hcat.blue.myth.net) will differ from the actual boxen in the farm (.e.g mycluster-hcat-[0..3].blue.myth.net).

Such a deployment messes up Kerberos auth, with principals like hcat/mycluster-hcat.blue.myth.net@GRID.MYTH.NET. Host-based checks will disallow servers behind the VIP from using the VIP's hostname in its principal when accessing, say, HDFS.

The solution would be to decouple the server-side principal (used to access other services like HDFS as a client) from the client-facing principal (used from Hive-client, BeeLine, etc.).

Attachments

- Sort By Name
- Sort By Date
- Ascending
- Descending

HIVE-17489.4.patch
22/Sep/17 21:11
13 kB
Mithun Radhakrishnan
HIVE-17489.4-branch-2.patch
22/Sep/17 21:11
9 kB
Mithun Radhakrishnan
HIVE-17489.3.patch
21/Sep/17 00:01
13 kB
Mithun Radhakrishnan
HIVE-17489.3-branch-2.patch
21/Sep/17 00:01
9 kB
Mithun Radhakrishnan
HIVE-17489.2.patch
12/Sep/17 18:41
12 kB
Mithun Radhakrishnan
HIVE-17489.2-branch-2.patch
08/Sep/17 22:46
8 kB
Mithun Radhakrishnan
HIVE-17489.2.patch
08/Sep/17 22:28
12 kB
Mithun Radhakrishnan

Activity

People

Assignee:: Thiruvel Thirumoolan

Reporter:: Mithun Radhakrishnan

Votes:: 0 Vote for this issue

Watchers:: 4 Start watching this issue

Dates

Created:: 08/Sep/17 22:20

Updated:: 22/May/18 23:14

Resolved:: 30/Sep/17 01:11