Mithun Radhakrishnan created HIVE-17489:
-------------------------------------------
Summary: Separate client-facing and server-side Kerberos
principals, to support HA
Key: HIVE-17489
URL: https://issues.apache.org/jira/browse/HIVE-17489
Project: Hive
Issue Type: Bug
Components: Metastore
Reporter: Mithun Radhakrishnan
Assignee: Thiruvel Thirumoolan
On deployments of the Hive metastore where a farm of servers is fronted by a
VIP, the hostname of the VIP (e.g. {{mycluster-hcat.blue.myth.net}}) will
differ from the actual boxen in the farm (.e.g
{{mycluster-hcat-\[0..3\].blue.myth.net}}).
Such a deployment messes up Kerberos auth, with principals like
{{hcat/mycluster-hcat.blue.myth....@grid.myth.net}}. Host-based checks will
disallow servers behind the VIP from using the VIP's hostname in its principal
when accessing, say, HDFS.
The solution would be to decouple the server-side principal (used to access
other services like HDFS as a client) from the client-facing principal (used
from Hive-client, BeeLine, etc.).
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
