You may hit some impersonation issues because of some wrong auth-to-local rules.
These rules translates your principal to a user short name, and you may want to be sure that – for example – hive/worker01@REALM correctly translates to hive.
to do that :
[root@worker ~]# hadoop org.apache.hadoop.security.HadoopKerberosName \
HTTP/worker01fqdn@REALM
Name: HTTP/worker01fqdn@REALM to HTTP
So, what do you think ?