hive-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Mithun Radhakrishnan (JIRA)" <>
Subject [jira] [Updated] (HIVE-17489) Separate client-facing and server-side Kerberos principals, to support HA
Date Thu, 21 Sep 2017 00:03:00 GMT


Mithun Radhakrishnan updated HIVE-17489:
    Attachment: HIVE-17489.3-branch-2.patch

Added logic to fall back to using the server-side principals, if client-facing principals
are not set. This adds backward compatibility, and should sort out the failing tests.

> Separate client-facing and server-side Kerberos principals, to support HA
> -------------------------------------------------------------------------
>                 Key: HIVE-17489
>                 URL:
>             Project: Hive
>          Issue Type: Bug
>          Components: Metastore
>            Reporter: Mithun Radhakrishnan
>            Assignee: Thiruvel Thirumoolan
>         Attachments: HIVE-17489.2-branch-2.patch, HIVE-17489.2.patch, HIVE-17489.2.patch,
HIVE-17489.3-branch-2.patch, HIVE-17489.3.patch
> On deployments of the Hive metastore where a farm of servers is fronted by a VIP, the
hostname of the VIP (e.g. {{}}) will differ from the actual boxen
in the farm (.e.g {{mycluster-hcat-\[0..3\]}}).
> Such a deployment messes up Kerberos auth, with principals like {{hcat/}}.
Host-based checks will disallow servers behind the VIP from using the VIP's hostname in its
principal when accessing, say, HDFS.
> The solution would be to decouple the server-side principal (used to access other services
like HDFS as a client) from the client-facing principal (used from Hive-client, BeeLine, etc.).

This message was sent by Atlassian JIRA

View raw message