hive-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Lefty Leverenz (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (HIVE-17489) Separate client-facing and server-side Kerberos principals, to support HA
Date Tue, 14 Nov 2017 06:27:00 GMT

    [ https://issues.apache.org/jira/browse/HIVE-17489?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16250954#comment-16250954
] 

Lefty Leverenz commented on HIVE-17489:
---------------------------------------

Thanks for the doc, [~mithun].  I did some minor editing, documented the other new parameter
(*hive.server2.authentication.client.kerberos.principal*), and added cross-references between
them.

Please review and let me know if the cross-references were a good idea or not.  (Does HA mean
High Availability?)

* [hive.metastore.client.kerberos.principal | https://cwiki.apache.org/confluence/display/Hive/Configuration+Properties#ConfigurationProperties-hive.metastore.client.kerberos.principal]
* [hive.server2.authentication.client.kerberos.principal | https://cwiki.apache.org/confluence/display/Hive/Configuration+Properties#ConfigurationProperties-hive.server2.authentication.client.kerberos.principal]

> Separate client-facing and server-side Kerberos principals, to support HA
> -------------------------------------------------------------------------
>
>                 Key: HIVE-17489
>                 URL: https://issues.apache.org/jira/browse/HIVE-17489
>             Project: Hive
>          Issue Type: Bug
>          Components: Metastore
>            Reporter: Mithun Radhakrishnan
>            Assignee: Thiruvel Thirumoolan
>             Fix For: 3.0.0, 2.4.0, 2.2.1
>
>         Attachments: HIVE-17489.2-branch-2.patch, HIVE-17489.2.patch, HIVE-17489.2.patch,
HIVE-17489.3-branch-2.patch, HIVE-17489.3.patch, HIVE-17489.4-branch-2.patch, HIVE-17489.4.patch
>
>
> On deployments of the Hive metastore where a farm of servers is fronted by a VIP, the
hostname of the VIP (e.g. {{mycluster-hcat.blue.myth.net}}) will differ from the actual boxen
in the farm (.e.g {{mycluster-hcat-\[0..3\].blue.myth.net}}).
> Such a deployment messes up Kerberos auth, with principals like {{hcat/mycluster-hcat.blue.myth.net@GRID.MYTH.NET}}.
Host-based checks will disallow servers behind the VIP from using the VIP's hostname in its
principal when accessing, say, HDFS.
> The solution would be to decouple the server-side principal (used to access other services
like HDFS as a client) from the client-facing principal (used from Hive-client, BeeLine, etc.).



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

Mime
View raw message