We have put these entries in hive-site.xml:
- hive.server2.authentication : KERBEROS
- hive.server2.authentication.kerberos.keytab : /tmp/hive.keytab
- hive.server2.authentication.kerberos.principal : hive/FQDN of the hive [email protected]
Using kinit command on the hive VM, we have verified that Kerberos principal and the keytab file are valid:
kinit -t FILE:/tmp/hive.keytab -k hive/FQDN of the hive [email protected]
Then if we do,
klist
it shows the same in Ticket Cache as the default Principal.
But, when we try to start the HiveServer2 using :
sudo service hive-server2 start
it throws the exception : Starting HiveServer2 javax.security.auth.login.LoginException: Kerberos principal should have 3 parts: hive at org.apache.hive.service.auth.HiveAuthFactory.getAuthTransFactory(HiveAuthFactory.java:127) at org.apache.hive.service.cli.thrift.ThriftCLIService.run(ThriftCLIService.java:505) at java.lang.Thread.run(Thread.java:679)
When we try to start the service (using ./hiveserver2) with any other logged in user, say User123, it throws the same exception with : Starting HiveServer2 javax.security.auth.login.LoginException: Kerberos principal should have 3 parts: User123 at org.apache.hive.service.auth.HiveAuthFactory.getAuthTransFactory(HiveAuthFactory.java:127) at org.apache.hive.service.cli.thrift.ThriftCLIService.run(ThriftCLIService.java:505) at java.lang.Thread.run(Thread.java:679)
Shouldn’t Kerberos Principal be picked up from the hive-site.xml and not the login user? Are we missing out something.
-- I have created a principal hive/FQDN of the hive [email protected] in advance and created a keytab file for it. We are on CDH 4.7 (not installed using CM), OEL6 and Kerberos5
