具有Kerberos的Hive远程元存储
[英]Hive Remote Metastore With Kerberos
问题描述
I'm new to hive and trying to set it up in a relatively secure manner for a test environment. 
我是蜂巢的新手,正在尝试以相对安全的方式针对测试环境进行设置。 I want to use a remote metastore so MR jobs can access the DB. 我想使用远程元存储,以便MR作业可以访问数据库。 I seem to have things almost working, but when a user with a credential tries to create a database I get: 我似乎几乎可以正常工作,但是当具有凭据的用户尝试创建数据库时,我得到:
hive> show databases;
OK
default
hive> create database testdb;
FAILED: Error in metadata: MetaException(message:Got exception: org.apache.hadoop.ipc.RemoteException User: hdfs/hadoopserver.sub.dom.com@SUB.DOM.COM is not allowed to impersonate myuserid@SUB.DOM.COM)
FAILED: Execution Error, return code 1 from org.apache.hadoop.hive.ql.exec.DDLTask
I can run 'show databases' ok. 我可以运行“显示数据库”。 I have "hive --service metastore" running as hdfs with hdfs/hadoopserver.sub.dom.com@SUB.DOM.COM as the principal. 我有以hdfs/hadoopserver.sub.dom.com@SUB.DOM.COM作为主体的hdfs运行的“配置单元--service metastore”。 I'm running hive as "myuserid" on the same box. 我在同一框上以“ myuserid”运行配置单元。 I don't know if it's related, but if I try to run hive from another system I get a GSS Initiate error unless I use the same principal (hdfs/hadoopserver.sub.dom.com@SUB.DOM.COM) for hive.metastore.kerberos.principal. 我不知道它是否相关,但是如果我尝试从另一个系统运行hive,除非我对hive使用相同的主体(hdfs/hadoopserver.sub.dom.com@SUB.DOM.COM),否则会收到GSS Initiate错误。 .metastore.kerberos.principal。 Is that expected? 那是预期的吗?
When I try googling this I see similar issues, but they message about not being able to impersonate only shows the single part user name where for me it's showing the realm. 当我尝试使用Google进行搜索时,会看到类似的问题,但是他们提示无法模拟的消息仅显示了单个部件的用户名,而对于我来说,这是显示领域的位置。 I tried playing with the auth_to_local property, but it didn't help. 我尝试使用auth_to_local属性,但没有帮助。 Map Reduce and HDFS operations are working fine. Map Reduce和HDFS操作正常。
In core-site.xml I have: 在core-site.xml中,我有:
<property>
<name>hadoop.proxyuser.hdfs.hosts</name>
<value>*</value>
</property>
<property>
<name>hadoop.proxyuser.hdfs.groups</name>
<value>*</value>
</property>
In hive-site.xml I have: 在hive-site.xml中,我有:
<property>
<name>javax.jdo.option.ConnectionURL</name>
<value>jdbc:mysql://localhost/metastore</value>
<description>the URL of the MySQL database</description>
</property>
<property>
<name>javax.jdo.option.ConnectionDriverName</name>
<value>com.mysql.jdbc.Driver</value>
</property>
<property>
<name>javax.jdo.option.ConnectionUserName</name>
<value>hive</value>
</property>
<property>
<name>javax.jdo.option.ConnectionPassword</name>
<value>password</value>
</property>
<property>
<name>datanucleus.autoCreateSchema</name>
<value>false</value>
</property>
<property>
<name>datanucleus.fixedDatastore</name>
<value>true</value>
</property>
<property>
<name>hive.metastore.uris</name>
<value>thrift://hadoopserver.sub.dom.com:9083</value>
</property>
<property>
<name>hive.security.authorization.enabled</name>
<value>true</value>
</property>
<property>
<name>hive.metastore.sasl.enabled</name>
<value>true</value>
</property>
<property>
<name>hive.metastore.kerberos.keytab.file</name>
<value>/etc/hadoop/hdfs.keytab</value>
</property>
<property>
<name>hive.metastore.kerberos.principal</name>
<value>hdfs/hadoopserver.sub.dom.com@SUB.DOM.COM</value>
</property>
<property>
<name>hive.metastore.execute.setugi</name>
<value>true</value>
</property>
Any ideas? 有任何想法吗?
2 个解决方案
解决方案1
0 已采纳 2013-09-03 11:32:57
Run hive metastore as user "hive" (hive/domain@Realm) and then configure hadoop.proxyuser.hive.hosts and hadoop.proxyuser.hive.groups to '*'. 以用户“ hive”(hive / domain @ Realm)的身份运行hive metastore,然后将hadoop.proxyuser.hive.hosts和hadoop.proxyuser.hive.groups配置为“ *”。 This works. 这可行。
解决方案2
0 2015-01-25 11:43:27
一旦您在core-site.xml中添加了代理配置,例如hadoop.proxyuser.hdfs.groups,其中hdfs是启动hiveserver的用户,然后添加hive.server2.enable.doAs = false来模拟其他用户/组。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.