I set up a Kerberos authenticated hive server, and there is a windows AD domain, I want to connect to hive server using the AD domain users.
Now I have set up cross realm trust between the Windows AD server and the Kerberos KDC, and can successfully initialize the ticket for AD users by using "kinit", but cannot generate keytab file for AD users. Is there any way to use AD users to connect to hive server?
I have fixed it.
Need to translate principal names from the Active Directory realm into the KDC realm.
Configure the hadoop.security.auth_to_local setting in the core-site.xml file
<property> <name>hadoop.security.auth_to_local</name> <value> RULE:[1:$1@$0](^.*@AD_REALM\.COM$)s/^(.*)@AD_REALM\.COM$/USER_YOU_WANT_TO_USE/g RULE:[2:$1@$0](^.*@AD_REALM\.COM$)s/^(.*)@AD_REALM\.COM$/USER_YOU_WANT_TO_USE/g DEFAULT </value> </property>
You can test these rulesets by using "hadoop kerbname" or "hadoop org.apache.hadoop.security.HadoopKerberosName"