[
https://issues.apache.org/jira/browse/HIVE-17489?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16186765#comment-16186765
]
Mithun Radhakrishnan commented on HIVE-17489:
---------------------------------------------
Committed to {{master}}, {{branch-2}}, and {{branch-2-2}}. Thanks for working
on this, [~thiruvel]!
The new parameter will need documenting in Hive docs. I'll do so shortly.
> Separate client-facing and server-side Kerberos principals, to support HA
> -------------------------------------------------------------------------
>
> Key: HIVE-17489
> URL: https://issues.apache.org/jira/browse/HIVE-17489
> Project: Hive
> Issue Type: Bug
> Components: Metastore
> Reporter: Mithun Radhakrishnan
> Assignee: Thiruvel Thirumoolan
> Attachments: HIVE-17489.2-branch-2.patch, HIVE-17489.2.patch,
> HIVE-17489.2.patch, HIVE-17489.3-branch-2.patch, HIVE-17489.3.patch,
> HIVE-17489.4-branch-2.patch, HIVE-17489.4.patch
>
>
> On deployments of the Hive metastore where a farm of servers is fronted by a
> VIP, the hostname of the VIP (e.g. {{mycluster-hcat.blue.myth.net}}) will
> differ from the actual boxen in the farm (.e.g
> {{mycluster-hcat-\[0..3\].blue.myth.net}}).
> Such a deployment messes up Kerberos auth, with principals like
> {{hcat/[email protected]}}. Host-based checks will
> disallow servers behind the VIP from using the VIP's hostname in its
> principal when accessing, say, HDFS.
> The solution would be to decouple the server-side principal (used to access
> other services like HDFS as a client) from the client-facing principal (used
> from Hive-client, BeeLine, etc.).
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
