Uploaded image for project: 'Hive'
  1. Hive
  2. HIVE-17489

Separate client-facing and server-side Kerberos principals, to support HA

    XMLWordPrintableJSON

Details

    • Bug
    • Status: Closed
    • Major
    • Resolution: Fixed
    • None
    • 2.2.1, 2.4.0, 3.0.0
    • Metastore
    • None

    Description

      On deployments of the Hive metastore where a farm of servers is fronted by a VIP, the hostname of the VIP (e.g. mycluster-hcat.blue.myth.net) will differ from the actual boxen in the farm (.e.g mycluster-hcat-[0..3].blue.myth.net).

      Such a deployment messes up Kerberos auth, with principals like hcat/mycluster-hcat.blue.myth.net@GRID.MYTH.NET. Host-based checks will disallow servers behind the VIP from using the VIP's hostname in its principal when accessing, say, HDFS.

      The solution would be to decouple the server-side principal (used to access other services like HDFS as a client) from the client-facing principal (used from Hive-client, BeeLine, etc.).

      Attachments

        1. HIVE-17489.2.patch
          12 kB
          Mithun Radhakrishnan
        2. HIVE-17489.2.patch
          12 kB
          Mithun Radhakrishnan
        3. HIVE-17489.2-branch-2.patch
          8 kB
          Mithun Radhakrishnan
        4. HIVE-17489.3.patch
          13 kB
          Mithun Radhakrishnan
        5. HIVE-17489.3-branch-2.patch
          9 kB
          Mithun Radhakrishnan
        6. HIVE-17489.4.patch
          13 kB
          Mithun Radhakrishnan
        7. HIVE-17489.4-branch-2.patch
          9 kB
          Mithun Radhakrishnan

        Activity

          People

            thiruvel Thiruvel Thirumoolan
            mithun Mithun Radhakrishnan
            Votes:
            0 Vote for this issue
            Watchers:
            4 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: