diff --git a/docs/security/hadoop_credentials_manager.md b/docs/security/hadoop_credentials_manager.md
index 32ce02e9930..6bc6be610e5 100644
--- a/docs/security/hadoop_credentials_manager.md
+++ b/docs/security/hadoop_credentials_manager.md
@@ -75,3 +75,16 @@ kyuubi\.credentials
\.hadoopfs\.uris|
true
|Whether to renew Hive metastore delegation token
|boolean
|1.4.0
kyuubi\.credentials
\.renewal\.interval|PT1H
|How often Kyuubi renews one user's delegation tokens
|duration
|1.4.0
kyuubi\.credentials
\.renewal\.retry\.wait|PT1M
|How long to wait before retrying to fetch new credentials after a failure.
|duration
|1.4.0
+
+
+### Required Security Configs
+
+The necessary configurations for hdfs and hive to obtain delegation token are as follows:
+
+Key | Meaning | value
+--- | --- | ---
+hadoop.security.authentication
|Set the authentication for the cluster
|kerberos
+hive.metastore.uris
|URI for client to contact metastore server
|thrift://{metastoreHost}:{metastorePort}}
+hive.metastore.sasl.enabled
|If true, the metastore thrift interface will be secured with SASL.Clients must authenticate with Kerberos.
|true
+hive.metastore.kerberos.principal
|The service principal for the metastore thrift server. The special string _HOST will be replaced automatically with the correct host name.
|for example hive/_HOST@${realm}
+hive.metastore.kerberos.keytab.file
|The path to the Kerberos Keytab file containing the metastore thrift server's service principal.
|for example /etc/security/keytabs/hive.service.keytab
\ No newline at end of file
diff --git a/kyuubi-server/src/main/scala/org/apache/kyuubi/credentials/HadoopCredentialsManager.scala b/kyuubi-server/src/main/scala/org/apache/kyuubi/credentials/HadoopCredentialsManager.scala
index 2ebda604a19..fafa655c2bf 100644
--- a/kyuubi-server/src/main/scala/org/apache/kyuubi/credentials/HadoopCredentialsManager.scala
+++ b/kyuubi-server/src/main/scala/org/apache/kyuubi/credentials/HadoopCredentialsManager.scala
@@ -100,7 +100,11 @@ class HadoopCredentialsManager private (name: String) extends AbstractService(na
val required = provider.delegationTokensRequired()
if (!required) {
warn(s"Service ${provider.serviceName} does not require a token." +
- s" Check your configuration to see if security is disabled or not.")
+ s" Check your configuration to see if security is disabled or not." +
+ s" If security is enabled, some configurations of ${provider.serviceName} " +
+ s" might be missing, please check the configurations in " +
+ s" https://kyuubi.readthedocs.io/en/latest/security" +
+ s"/hadoop_credentials_manager.html#required-security-configs")
provider.close()
}
required