Stay organized with collections
Save and categorize content based on your preferences.
This page describes how Dataproc Metastore supports the Kerberos protocol.
Kerberos is a network
authentication protocol that is designed to provide strong authentication for
client and server applications by using secret-key cryptography. It's commonly
used among the Hadoop stack for authentication throughout the software
ecosystem.
You can configure Kerberos on the following Dataproc Metastore services:
The Secret Manager
secret provided must be pinned to a specific secret version. You need to specify
the secret version that you want to use, Dataproc Metastore does
not pick the latest version automatically.
krb5.conf file
A valid krb5.conf file contains Kerberos configuration information, such as
the KDC IP, port, and realm name.
When you configure Kerberos for a Dataproc Metastore service, you
generate your keytab file using a Dataproc cluster.
When configuring the krb5.conf file, specify the KDC IP that is accessible
from your peered network. Don't specify the KDC FQDN.
If you are using the Thrift endpoint, you must store the file in a Cloud Storage
bucket. You can use an existing bucket or create a new one.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-28 UTC."],[[["\u003cp\u003eDataproc Metastore supports the Kerberos network authentication protocol for securing client and server applications.\u003c/p\u003e\n"],["\u003cp\u003eKerberos can be configured for Dataproc Metastore services using either the Thrift or gRPC endpoint protocols.\u003c/p\u003e\n"],["\u003cp\u003eConfiguring Kerberos requires a Kerberos KDC, a principal file, a keytab file stored in Google Cloud Secret Manager, and a \u003ccode\u003ekrb5.conf\u003c/code\u003e file.\u003c/p\u003e\n"],["\u003cp\u003eThe keytab file contains the Hive metastore service principal's name and location, and the \u003ccode\u003ekrb5.conf\u003c/code\u003e file should specify the accessible KDC IP.\u003c/p\u003e\n"],["\u003cp\u003eThe krb5.conf file for Thrift endpoints must be stored in a Cloud Storage bucket.\u003c/p\u003e\n"]]],[],null,["# How Kerberos works with Dataproc Metastore\n\nThis page describes how Dataproc Metastore supports the Kerberos protocol.\n\n[Kerberos](https://web.mit.edu/kerberos/) is a network\nauthentication protocol that is designed to provide strong authentication for\nclient and server applications by using secret-key cryptography. It's commonly\nused among the Hadoop stack for authentication throughout the software\necosystem.\n\nYou can configure Kerberos on the following Dataproc Metastore services:\n\n- A Dataproc Metastore service that uses the [Thrift endpoint\n protocol](/dataproc-metastore/docs/configure-kerberos).\n- A Dataproc Metastore service that uses the [gRPC endpoint\n protocol](/dataproc-metastore/docs/configure-kerberos-grpc).\n\nThe process for configuring Kerberos is different for each type of service.\n\nRequired Kerberos assets\n------------------------\n\nThe following section provides general information on the Kerberos assets that you\nneed to configure Kerberos for a Dataproc Metastore service.\n\n**Kerberos KDC**\n\nA [Kerberos KDC](https://en.wikipedia.org/wiki/Key_distribution_center) is required.\nYou can use the local KDC of a Dataproc cluster or create and host your own.\n\n**Kerberos principal**\n\nWhen you configure Kerberos for a Dataproc Metastore service, you\ngenerate your principal file using a Dataproc cluster.\n\n**Keytab file**\n\nA keytab file contains pairs of Kerberos principals and encrypted keys, which\nare used to authenticate a service principal with a Kerberos KDC.\n\nWhen you configure Kerberos for a Dataproc Metastore service, you\ngenerate your keytab file using a Dataproc cluster.\n\n- The generated keytab file contains the name and location of your Hive metastore service principal.\n\n- The generated keytab file is automatically stored in a [Google Cloud\n Secret Manager](/secret-manager/docs/overview).\n\n The Secret Manager\n secret provided must be [pinned to a specific secret version](/secret-manager/docs/add-secret-version#secretmanager-add-secret-version-gcloud). You need to specify\n the secret version that you want to use, Dataproc Metastore does\n not pick the latest version automatically.\n\n**krb5.conf file**\n\nA valid `krb5.conf` file contains Kerberos configuration information, such as\nthe KDC IP, port, and realm name.\n\nWhen you configure Kerberos for a Dataproc Metastore service, you\ngenerate your keytab file using a Dataproc cluster.\n\n- When configuring the `krb5.conf` file, specify the KDC IP that is accessible from your peered network. Don't specify the KDC FQDN.\n- If you are using the Thrift endpoint, you must store the file in a Cloud Storage bucket. You can use an existing bucket or create a new one.\n\nWhat's next\n-----------\n\n- Create a Dataproc Metastore that uses the [Thrift endpoint\n protocol](/dataproc-metastore/docs/configure-kerberos).\n- Create a Dataproc Metastore that uses the [gRPC endpoint\n protocol](/dataproc-metastore/docs/configure-kerberos-grpc)."]]
