6. Configuring for Secure Clusters

If you are using secure clusters, complete the following steps.

  1. Verify that hadoop.security.auth_to_local in core-site.xml is consistent across all clusters.


    Inconsistent rules for hadoop.security.auth_to_local can lead to issues with delegation token renewals.

  2. For working with secure clusters that use hive and hcatalog, the cluster.xml entity should have hadoop.rpc.protection set to the value of the hadoop cluster's hadoop.rpc.protection. For example:

    <property name="hadoop.rpc.protection" value="authentication"/>

    Note: value cannot be hardcoded to authentication. It has to match the authentication value the hadoop cluster uses.

  3. Set dfs.namenode.kerberos.principal for the cluster NameNode. For example:

    <property name="dfs.namenode.kerberos.principal" value="nn/ip-172-31-47-87.ec2.internal@EXAMPLE.COM"/>

  4. For the hcatalog retention/replication/process to work with secure clusters, set hive.metastore.sasl.enabled to true in the cluster entitiy. For example:

    <property name="hive.metastore.sasl.enabled" value="true"/>

  5. Set hive.metastore.kerberos.principal and hive.metastore.uris. For example:

    <property name="hive.metastore.kerberos.principal" value="hive/ip-172-31-47-87.ec2.internal@EXAMPLE.COM"/>
    <property name="hive.metastore.uris" value="thrift://ip-172-31-47-87.ec2.internal:9083"/>
  6. For wasb replication to work, the target cluster's core-site.xml must have wasb credentials. For example:

  7. Create the following property definitions in your cluster entity or entities. In the following example, replace $my.internal@EXAMPLE.COM and $my.internal with your own values.

        <property name="dfs.namenode.kerberos.principal" value="nn/$my.internal@EXAMPLE.COM"/> 
        <property name="hive.metastore.kerberos.principal" value="hive/$my.internal@EXAMPLE.COM"/> 
        <property name="hive.metastore.uris" value="thrift://$my.internal:9083"/>
        <property name="hive.metastore.sasl.enabled" value="true"/>

loading table of contents...