Configuring Drill to Use Kerberos with Hive Metastore

NOTE:

When you configure Drill to use Kerberos with the Hive metastore, Drill submits requests to the Hive metastore as the mapr superuser. If you want Drill to submit requests to the Hive metastore as any other user, configure Drill impersonation with Hive instead of performing this task. Drill impersonation works with or without Kerberos configured for the Hive metastore.

Prerequisites

The configurations described in this document have the following dependencies:

  • MapR version 4.1 or later
  • Drill 1.1 or later installed with Drillbits running as the mapr user.
  • Supported version of Hive installed with the following:
    • Hive Metastore configured to use Kerberos authentication
    • Configured Hive remote metastore repository
    NOTE: See the Drill Support Matrix for supported versions of Hive.

Modify the Hive Storage Plugin in Drill

Modify the Hive storage plugin configuration in the Drill Web UI based on the authorization and security scenario for the cluster. You can only access the Drill Web UI for a running Drillbit.

Complete the following steps to configure Drill to use Kerberos with Hive Metastore:

  1. Navigate to http://<drillbit_hostname>:8047, and select the Storage tab.
    NOTE: You can only access the Drill Web UI for a running Drillbit.
  2. Click Update next to the hive option.
  3. In the configuration window, add the hive.metastore.sasl.enabled, hive.metastore.kerberos.principal, and hive.security.authorization.enabled properties as shown below, if they are not already present - other properties shown may or may not be needed in your environment:
    {
      "type": "hive",
      "enabled": true,
      "configProps": {
        "hive.metastore.uris": "thrift://<metastore_hostname>:9083",
        "fs.default.name": "maprfs:///",
        "hive.server2.enable.doAs": "false",
        "hive.metastore.sasl.enabled": "true",
        "hive.metastore.kerberos.principal": "<metastore_server_principal_name>"
      }
    }

Restart Warden

  1. Issue the following command on all nodes to restart the Warden service:
    service mapr-warden restart
  2. If you have clush installed, you can run the following command to restart Warden on all nodes at once:
    clush –a “service mapr-warden restart”