To force clients to authenticate with the metastore server using Kerberos, we can set the following three properties in the hive-site.xml file and then restart the metastore server to make it work:
- Enable the Simple Authentication and Security Layer (SASL) framework to enforce client Kerberos authentication, as follows:
<property>
<name>hive.metastore.sasl.enabled</name>
<value>true</value>
<description>If true, the metastore thrift interface will be
secured with SASL framework. Clients must authenticate with
Kerberos.</description>
</property>
- Specify the Kerberos keytab generated. Override the following example if you want to keep the file in other places. Make sure the keytab file permission mask is set to read-only permission (600) to avoid accidentally being changed or deleted. It should also be owned by the same account (hive by default) used to run the metastore server:
<property>
<name>hive.metastore.kerberos.keytab.file</name>
<value>/etc/hive/conf/hive.keytab</value>
<description>The sample path to the Kerberos Keytab file
containing the metastore thrift server's service principal.
</description>
</property>
- Specify the Kerberos principal pattern string. The _HOST special string will be replaced automatically with the correct hostname. The YOUR-REALM.COM value should be replaced by the actual realm name:
<property>
<name>hive.metastore.kerberos.principal</name>
<value>hive/[email protected]</value>
<description>The service principal for metastore server.
</description>
</property>