The default Hive Kerberos delegation token store method can cause failures with Oozie HiveServer2 actions in certain environments. Cloudera suggests using org.apache.hadoop.hive.thrift.ZooKeeperTokenStore, or connecting to a single HiveServer2 instance behind the load balancer to avoid this connection failure.
When using multiple HiveServer2 instances front-ended by a load balancer, Oozie Hive2 actions can start a connection and get a delegation token on the first HiveServer2, and then because of load-balancing, get another connection to the next HiveServer2 when making the query. This causes the second connection to fail.
For HiveMetaStore HA, it is recommended to use DBTokenStore instead of ZookeeperTokenStore in order to better support a large number of requests to HiveMetaStore. For HiveServer2 HA, use ZookeeperTokenStore until DBTokenStore is getting stable in CDH with HIVE-12270.
CM > Hive > Configuration > HiveServer2 Advanced Configuration Snippet (Safety Valve) for hive-site.xml and enter:
<property>
<name>hive.cluster.delegation.token.store.class</name>
<value>org.apache.hadoop.hive.thrift.ZooKeeperTokenStore</value>
</property>
CM > Hive > Configuration > Hive Metastore Server Advanced Configuration Snippet (Safety Valve) for hive-site.xml and enter:
<property>
<name>hive.cluster.delegation.token.store.class</name>
<value>org.apache.hadoop.hive.thrift.DBTokenStore</value> </property>
(this is optional if you have set "Hive Metastore Delegation Token Store" to "org.apache.hadoop.hive.thrift.DBTokenStore")
hive.server2.thrift.sasl.qop
?auth-conf
?