Support Questions

Find answers, ask questions, and share your expertise

Kerberized hive with not-kerberized Zookeeper

avatar
New Contributor

Hi.

 

I was wondering if anyone can confirm or deny that kerberized hive can (how?) work with not kerberized Zookeeper (+kerberized HDFS and Yarn).

 

Unless I overlooked something (which is very possible), it seems like in line 93 of attached log hive is trying to auth against ZK, and since there is any ZK security enabled this attempt failed.

 

If I'm right, is there any property that I can set up to disable auth attempts on hive side? hdfs/yarn seems to have zero problems working with unsecured ZK.

Or perhaps we need to enable kerberos on ZK nodes because hive won't work otherwise, period?

 

 

1 ACCEPTED SOLUTION

avatar
New Contributor

@asishThat was also my impression, but I was not able to find any solid confirmation. Eventually I kerberized ZK, correct bunch of playbooks to reflect that, and it works fine now.

View solution in original post

4 REPLIES 4

avatar
Guru

@Czarniak You can de-register Hiveserver2 from Zookeeper

https://docs.cloudera.com/HDPDocuments/HDP3/HDP-3.1.5/fault-tolerance/content/dynamic_service_discov...

 

Connect directly to hiveserver2 without zookeeper quorom.

avatar
New Contributor

That might be a good idea with only single hiveserver, we will have like 7 of them 🙂

That is why I'm asking if the current setup is even possible. If not, kerberizing ZK will get much higher priority. Which is a good thing I guess...

avatar
Guru

@Czarniak  The current setup is not possible

avatar
New Contributor

@asishThat was also my impression, but I was not able to find any solid confirmation. Eventually I kerberized ZK, correct bunch of playbooks to reflect that, and it works fine now.