HCatalog Authentication

This section describes how to configure HCatalog in CDH 5 with Kerberos security in a Hadoop cluster:

For more information about HCatalog see Installing and Using HCatalog.

Before You Start

Secure Web HCatalog requires a running remote Hive metastore service configured in secure mode. See Hive MetaStoreServer Security Configuration for instructions. Running secure WebHCat with an embedded repository is not supported.

Step 1: Create the HTTP keytab file

You need to create a keytab file for WebHCat. Follow these steps:

CAUTION:
These instructions assume that the HTTP keytab does not already exist. If the HTTP principal already exists, find an existing copy of that file and copy it to the /etc/webhcat/conf directory with permissions restricted to the hcatalog user. DO NOT run kadmin xst on it in this case.
  1. Create the file: 
    kadmin: addprinc -randkey HTTP/fully.qualified.domain.name@YOUR-REALM.COM
kadmin: xst -k HTTP.keytab HTTP/fully.qualified.domain.name
  2. Move the file into the WebHCat configuration directory and restrict its access exclusively to the hcatalog user: 
    $ mv HTTP.keytab /etc/webhcat/conf/
$ chown hcatalog /etc/webhcat/conf/HTTP.keytab
$ chmod 400 /etc/webhcat/conf/HTTP.keytab

Step 2: Configure WebHCat to Use Security

Create or edit the WebHCat configuration file webhcat-site.xml in the configuration directory and set following properties:

Property

Value

templeton.kerberos.secret

Any random value

templeton.kerberos.keytab

/etc/webhcat/conf/HTTP.keytab

templeton.kerberos.principal

HTTP/fully.qualified.domain.name@YOUR-REALM.COM

Example configuration:

<property>
    <name>templeton.kerberos.secret</name>
    <value>SuPerS3c3tV@lue!</value>
  </property>

  <property>
    <name>templeton.kerberos.keytab</name>
    <value>/etc/webhcat/conf/HTTP.keytab</value>
  </property>

  <property>
    <name>templeton.kerberos.principal</name>
    <value>HTTP/fully.qualified.domain.name@YOUR-REALM.COM</value>
  </property>

Step 3: Create Proxy Users

WebHCat needs access to your NameNode to work properly, and so you must configure Hadoop to allow impersonation from the hcatalog user. To do this, edit your core-site.xml configuration file and set the hadoop.proxyuser.HTTP.hosts and hadoop.proxyuser.HTTP.groups properties to specify the hosts from which HCatalog can do the impersonation and what users can be impersonated. You can use the value * for "any".

Example configuration:

  <property>
    <name>hadoop.proxyuser.HTTP.hosts</name>
    <value>*</value>
  </property>
  <property>
    <name>hadoop.proxyuser.HTTP.groups</name>
    <value>*</value>
  </property>

Step 4: Verify the Configuration

After restarting WebHcat you can verify that it is working by using curl (you may need to run kinit first):

$ curl --negotiate -i -u : 'http://fully.qualified.domain.name:50111/templeton/v1/ddl/database'