Closed Nuttymoon closed 2 years ago
I agree that the Metastore should run with principal hive
This is conceptual choice. The idea is to create the independency between the Hive Metastore and Hive Server. Hive Metastore can be installed without Hive Server. We can keep the hive_ms principal by adding the auth_to_local mapping rule.
I am not very convinced on changing the behavior that was followed by both CDH and HDP and now CDP, which is having a single hive
principal. This might trouble users coming from CDH, HDP and CDP and this also complicates the auth_to_local
rules.
See:
Btw I think the same of Ranger principals (My bad there, Cloudera is using the same principals for Ranger)rangeradmin
, rangerlookup
and rangerusersync
.
Maybe we should create a discussion about this?
I am not very convinced on changing the behavior that was followed by both CDH and HDP and now CDP, which is having a single
hive
principal. This might trouble users coming from CDH, HDP and CDP and this also complicates theauth_to_local
rules.See:
* HDP: [Creating Service Principals and Keytab Files for HDP](https://docs.cloudera.com/HDPDocuments/HDP2/HDP-2.6.3/bk_security/content/creating_service_principals_and_keytab_files_for_hdp.html) * CDP: [Hadoop Users (user:group) and Kerberos Principals](https://docs.cloudera.com/cdp-private-cloud-base/7.1.6/security-kerberos-authentication/topics/cm_sg_cm_users_principals.html).
Btw I think the same of Ranger principals
rangeradmin
,rangerlookup
andrangerusersync
.
@rpignolet @mehdibn what's your input on this?
I vote to do the same as Cloudera.
I vote to do the same as @rpignolet :)
The Hive Metastore is currently running with the principal
hive_ms/_HOST@REALM
. Therefore it is not impacted by theauth_to_local
rule:When running Spark SQL queries, we end up with the error:
The Hive Metastore should be able to impersonate users. Also, I don't understand why the Metastore is running with a different principal than the Hive Server. For me both should use
hive/_HOST
.