# Hadoop Credentials Manager
In order to pass the authentication of a kerberos secured hadoop cluster, kyuubi currently submits
engines in two ways:
1. Submits with current kerberos user and extra `SparkSubmit` argument `--proxy-user`.
2. Submits with `spark.kerberos.principal` and `spark.kerberos.keytab` specified.
If engine is submitted with `--proxy-user` specified, its delegation tokens of hadoop cluster
services are obtained by current kerberos user and can not be renewed by itself.
Thus, engine's lifetime is limited by the lifetime of delegation tokens.
To remove this limitation, kyuubi renews delegation tokens at server side in Hadoop Credentials Manager.
Engine submitted with principal and keytab can renew delegation tokens by itself.
But for implementation simplicity, kyuubi server will also renew delegation tokens for it.
## Configurations
### Cluster Services
Kyuubi currently supports renew delegation tokens of Hadoop filesystems and Hive metastore servers.
#### Hadoop client configurations
Set `HADOOP_CONF_DIR` in `$KYUUBI_HOME/conf/kyuubi-env.sh` if it hasn't been set yet, e.g.
```bash
$ echo "export HADOOP_CONF_DIR=/path/to/hadoop/conf" >> $KYUUBI_HOME/conf/kyuubi-env.sh
```
Extra Hadoop filesystems can be specified in `$KYUUBI_HOME/conf/kyuubi-defaults.conf`
by `kyuubi.credentials.hadoopfs.uris` in comma separated list.
#### Hive metastore configurations
##### Via kyuubi-defaults.conf
Specify Hive metastore configurations In `$KYUUBI_HOME/conf/kyuubi-defaults.conf`. Hadoop Credentials
Manager will load the configurations when initialized.
##### Via hive-site.xml
Place your copy of `hive-site.xml` into `$KYUUBI_HOME/conf`, Kyuubi will load this config file to
its classpath.
This version of configuration has lower priority than those in `$KYUUBI_HOME/conf/kyuubi-defaults.conf`.
##### Via JDBC Connection URL
Hive configurations specified in JDBC connection URL are ignored by Hadoop Credentials Manager as
Hadoop Credentials Manager is initialized when Kyuubi server starts.
### Credentials Renewal
| Key | Default | Meaning | Type | Since |
|----------------------------------------------------|-------------------------------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-----------------------------------------|--------------------------------------|
| kyuubi.credentials.hadoopfs.enabled
|
kyuubi.credentials.hadoopfs.uris
| | kyuubi.credentials.hive.enabled
| kyuubi.credentials.renewal.interval
| kyuubi.credentials.renewal.retry.wait
| hadoop.security.authentication
| hive.metastore.uris
| hive.metastore.sasl.enabled
| hive.metastore.kerberos.principal
| hive.metastore.kerberos.keytab.file
|