The upcoming IOP 4.3 release, currently available for tech preview, includes two views that can be configured and used for executing Hive queries from the Ambari web interface, viz. the Hive View 1.0.0 – which works with Thrift Java API and the Hive View 1.5.0 – which works with the JDBC client. The blog https://developer.ibm.com/hadoop/2015/10/28/use-ambari-hive-view-write-execute-debug-hive-queries/¬†describes¬†the configuration steps for a non-Kerberized cluster.¬†For Kerberos enabled clusters, the Ambari Server instance and the view itself must be configured for Kerberos. This blog post covers the additional steps required for successfully configuring and executing Hive views in a Kerberized environment.
1.¬†Configure the ambari-server instance for Kerberos
- Navigate to the /etc/security/keytabs folder on the ambari-server host, run kadmin, create an ambari-server principal in the KDC, and generate a keytab for it.
- Stop Ambari server
- Run ambari-server setup-security and select option 3 – Setup Ambari kerberos JAAS configuration.
- Provide the Kerberos principal name for ambari-server created earlier and provide the path to its keytab.
- Restart Ambari server
2. Setup the proxyuser for hosts and groups for the ambari-server Kerberos principal
- From the Ambari dashboard, navigate to HDFS->Configs->Advanced tab.
- Expand the Custom core-site section and add the following new config properties:
hadoop.proxyuser.ambari-server.groups = *
hadoop.proxyuser.ambari-server.hosts = *
- Save the configuration changes and restart services as recommended.
3. Create the /user/admin folder on HDFS:
For this example, since admin is the logged-in user, the /user/admin folder needs to be created. This is required because Hive view stores user metadata in the /user/<logged-in-user> folder.
su ‚Äď hdfs
hadoop fs -mkdir /user/admin
hadoop fs -chown admin:hadoop /user/admin
4. Create a user for the ambari-server Kerberos principal and add it to the hadoop group
useradd -d /home/ambari-server -g hadoop -m ambari-server
¬†5.¬†Create a view instance:
Navigate to the Ambari admin view, expand Views->Hive and click on Create Instance. Select 1.0.0 or 1.5.0 in the Version drop down. The default version selected is 1.5.0.
For Kerberized clusters, the configuration settings that are important are the following:
- Hive Authentication (Hive View 1.0.0)¬†‚Äď Set this to include the value of ¬†the configuration property¬†hive.server2.authentication.kerberos.principal¬†settings in hive-site.xml
- Hive Session Parameters (Hive 1.5.0) ‚Äď Set this to include the value of ¬†the configuration property¬†hive.server2.authentication.kerberos.principal¬†settings in hive-site.xml
- WebHDFS Authentication ‚Äď Set this to include the ambari-server Kerberos principal
- Save and execute the view instance. You can now run Hive queries using the view instance.