[ https://issues.apache.org/jira/browse/HIVE-10838?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
HeeSoo Kim updated HIVE-10838: ------------------------------ Description: +*In a cluster with Kerberos authentication*+ When a Hive metastore client (e.g. HS2, oozie) has been configured with a logical hostname (e.g. hiveserver/hiveserver_logical_hostn...@example.com), it still uses its physical hostname to try to connect to the hive metastore. For example, we specifiy, in hive-site.xml: {noformat} <property> <name>hive.server2.authentication.kerberos.principal</name> <value>hiveserver/hiveserver_logical_hostn...@example.com</value> </property> {noformat} When the client tried to get a delegation token from the metastore, an exception occurred: {noformat} 2015-05-21 23:17:59,554 ERROR metadata.Hive (Hive.java:getDelegationToken(2638)) - MetaException(message:Unauthorized connection for super-user: hiveserver/hiveserver_logical_hostn...@example.com from IP 10.250.16.43) at org.apache.hadoop.hive.metastore.api.ThriftHiveMetastore$get_delegation_token_result$get_delegation_token_resultStandardScheme.read(ThriftHiveMetastore.java) at org.apache.hadoop.hive.metastore.api.ThriftHiveMetastore$get_delegation_token_result$get_delegation_token_resultStandardScheme.read(ThriftHiveMetastore.java) at org.apache.hadoop.hive.metastore.api.ThriftHiveMetastore$get_delegation_token_result.read(ThriftHiveMetastore.java) at org.apache.thrift.TServiceClient.receiveBase(TServiceClient.java:78) at org.apache.hadoop.hive.metastore.api.ThriftHiveMetastore$Client.recv_get_delegation_token(ThriftHiveMetastore.java:3293) at org.apache.hadoop.hive.metastore.api.ThriftHiveMetastore$Client.get_delegation_token(ThriftHiveMetastore.java:3279) at org.apache.hadoop.hive.metastore.HiveMetaStoreClient.getDelegationToken(HiveMetaStoreClient.java:1559) {noformat} We need to set the bind address when Hive metastore client tries to connect Hive metastore based on logical hostname of Kerberos. was: +*In a cluster with Kerberos authentication*+ When a Hive metastore client (e.g. HS2, oozie) has been configured with a logical hostname (e.g. hiveserver/hiveserver_logical_hostn...@example.com), it still uses its physical hostname to try to connect to the hive metastore. For example, we specifiy, in hive-site.xml: {noformat} <property> <name>hive.server2.authentication.kerberos.principal</name> <value>hiveserver/hiveserver_logical_hostn...@example.com</value> </property> {noformat} When the client tried to get a delegation token from the metastore, an exception occurred: {noformat} 2015-05-21 23:17:59,554 ERROR metadata.Hive (Hive.java:getDelegationToken(2638)) - MetaException(message:Unauthorized connection for super-user: hiveserver/hiveserver_logical_hostn...@example.com from IP 10.250.16.43) at org.apache.hadoop.hive.metastore.api.ThriftHiveMetastore$get_delegation_token_result$get_delegation_token_resultStandardScheme.read(ThriftHiveMetastore.java) at org.apache.hadoop.hive.metastore.api.ThriftHiveMetastore$get_delegation_token_result$get_delegation_token_resultStandardScheme.read(ThriftHiveMetastore.java) at org.apache.hadoop.hive.metastore.api.ThriftHiveMetastore$get_delegation_token_result.read(ThriftHiveMetastore.java) at org.apache.thrift.TServiceClient.receiveBase(TServiceClient.java:78) at org.apache.hadoop.hive.metastore.api.ThriftHiveMetastore$Client.recv_get_delegation_token(ThriftHiveMetastore.java:3293) at org.apache.hadoop.hive.metastore.api.ThriftHiveMetastore$Client.get_delegation_token(ThriftHiveMetastore.java:3279) at org.apache.hadoop.hive.metastore.HiveMetaStoreClient.getDelegationToken(HiveMetaStoreClient.java:1559) {noformat} We need to set the bind address when Hive metastore client tries to connect Hive metastore based on hostname of Kerberos. > Allow the Hive metastore client to bind to a specific address when connecting > to the server > ------------------------------------------------------------------------------------------- > > Key: HIVE-10838 > URL: https://issues.apache.org/jira/browse/HIVE-10838 > Project: Hive > Issue Type: Bug > Reporter: HeeSoo Kim > Assignee: HeeSoo Kim > > +*In a cluster with Kerberos authentication*+ > When a Hive metastore client (e.g. HS2, oozie) has been configured with a > logical hostname (e.g. hiveserver/hiveserver_logical_hostn...@example.com), > it still uses its physical hostname to try to connect to the hive metastore. > For example, we specifiy, in hive-site.xml: > {noformat} > <property> > <name>hive.server2.authentication.kerberos.principal</name> > <value>hiveserver/hiveserver_logical_hostn...@example.com</value> > </property> > {noformat} > When the client tried to get a delegation token from the metastore, an > exception occurred: > {noformat} > 2015-05-21 23:17:59,554 ERROR metadata.Hive > (Hive.java:getDelegationToken(2638)) - MetaException(message:Unauthorized > connection for super-user: hiveserver/hiveserver_logical_hostn...@example.com > from IP 10.250.16.43) > at > org.apache.hadoop.hive.metastore.api.ThriftHiveMetastore$get_delegation_token_result$get_delegation_token_resultStandardScheme.read(ThriftHiveMetastore.java) > at > org.apache.hadoop.hive.metastore.api.ThriftHiveMetastore$get_delegation_token_result$get_delegation_token_resultStandardScheme.read(ThriftHiveMetastore.java) > at > org.apache.hadoop.hive.metastore.api.ThriftHiveMetastore$get_delegation_token_result.read(ThriftHiveMetastore.java) > at > org.apache.thrift.TServiceClient.receiveBase(TServiceClient.java:78) > at > org.apache.hadoop.hive.metastore.api.ThriftHiveMetastore$Client.recv_get_delegation_token(ThriftHiveMetastore.java:3293) > at > org.apache.hadoop.hive.metastore.api.ThriftHiveMetastore$Client.get_delegation_token(ThriftHiveMetastore.java:3279) > at > org.apache.hadoop.hive.metastore.HiveMetaStoreClient.getDelegationToken(HiveMetaStoreClient.java:1559) > {noformat} > We need to set the bind address when Hive metastore client tries to connect > Hive metastore based on logical hostname of Kerberos. -- This message was sent by Atlassian JIRA (v6.3.4#6332)