Hive Metastore supports Kerberos authentication for Thrift clients only. HiveServer does not support Kerberos authentication for any clients.
To the hive-site.xml file on every host in your cluster, add the following information:
Table 27.10. hive-site.xml Property Settings
Property Name | Property Value | Description |
---|---|---|
hive.metastore.sasl.enabled | true | If true, the Metastore Thrift interface will be secured with SASL and clients must authenticate with Kerberos. |
hive.metastore.kerberos.keytab.file | /etc/security/keytabs/hive.service.keytab | The keytab for the Metastore Thrift service principal. |
hive.metastore.kerberos.principal | hive/_HOST@EXAMPLE.COM | The service principal for the Metastore Thrift server. If _HOST is used as the hostname portion, it will be replaced with the actual hostname of the running instance. |
hive.metastore.cache.pinobjtypes | Table,Database,Type, FieldSchema,Order | Comma-separated Metastore object types that should be pinned in the cache. |
Following is the XML for these entries:
<property> <name>hive.metastore.sasl.enabled</name> <value>true</value> <description>If true, the metastore thrift interface will be secured with SASL. Clients must authenticate with Kerberos.</description> </property> <property> <name>hive.metastore.kerberos.keytab.file</name> <value>/etc/security/keytabs/hive.service.keytab</value> <description>The path to the Kerberos Keytab file containing the metastore thrift server's service principal. </description> </property> <property> <name>hive.metastore.kerberos.principal</name> <value>hive/_HOST@EXAMPLE.COM</value> <description>The service principal for the metastore thrift server. The special string _HOST will be replaced automatically with the correct hostname.</description> </property> <property> <name>hive.metastore.cache.pinobjtypes</name> <value>Table,Database,Type,FieldSchema,Order</value> <description>List of comma separated metastore object types that should be pinned in the cache </description> </property>