Cloudera Docs

Configuring the Hive Delegation Token Store

You need to enable Hive Delegation Token Store implementation as the first step in configuring HiveServer high availability using a load balancer. You also need to understand the interaction between Oozie and HS2 with regard to the delegation token.

Oozie needs this implementation for secure HiveServer high availability (HA). Otherwise, the Oozie server can get a delegation token from one HS2 server, but the actual query might run against another HS2 server, which does not recognize the HS2 delegation token.
  1. In Cloudera Manager, click Clusters > Hive > Configuration.
  2. Take one of the following actions:
    • If you have a cluster secured by Kerberos, search for Hive Delegation Token Store, which specifies storage for the Kerberos token as described below.
    • If you have an unsecured cluster, skip the next step.
  3. Select org.apache.hadoop.hive.thrift.DBTokenStore, and save the change.
    Storage for the Kerberos delegation token is defined by the hive.cluster.delegation.token.store.class property. The available choices are Zookeeper, the Metastore, and memory. Cloudera recommends using the database by setting the org.apache.hadoop.hive.thrift.DBTokenStore property. Do not use the MemoryTokenStore. This can cause failures because one HS2 does not recognize the delegation token issued by another.
  4. Add HiveServer (HS2) roles as described in the next topic.