[repost ]Hive Server2 Security Configuration

original:https://ccp.cloudera.com/display/CDH4DOC/Hive+Server2+Security+Configuration

Introduction to Hive Server2 Security in CDH4

HiveServer2 supports authentication of the Thrift client using either of these methods:

  • Kerberos authentication
  • LDAP authentication

To configure HiveServer2 to use one of these authentication modes, you configure thehive.server2.authentication configuration property as described in the following sections.

Using Kerberos Authentication with HiveServer2

If you configure HiveServer2 to use Kerberos authentication, HiveServer2 acquires a Kerberos ticket during start-up. HiveServer2 requires a principal and keytab file specified in the configuration. The client applications (for example JDBC or beeline) must get a valid Kerberos ticket before initiating a connection to HiveServer2.

Enabling Keberos Authentication for HiveServer2

To enable Keberos Authentication for HiveServer2, add the following properties in the hive-site.xml file:

<property>
  <name>hive.server2.authentication</name>
  <value>KERBEROS</value>
</property>
<property>
  <name>hive.server2.authentication.kerberos.principal</name>
  <value>HiveServer2_principal</value>
</property>
<property>
  <name>hive.server2.authentication.kerberos.keytab</name>
  <value>HiveServer2_Keytab_file</value>
</property>

where:

  • The HiveServer2_principal value in the example above is the Kerberos principal for HiveServer2 process.
  • The HiveServer2_Keytab_file value in the example above is a keytab file for that principal.

Note that HiveServer2 accesses the Hadoop cluster using the identity for this Kerberos user and does not impersonate the client user connecting to it.

Configuring JDBC Clients for Keberos Authentication with HiveServer2

JDBC-based clients must include principal=<HiveServer2-Kerberos-Pricipal> in the JDBC connection string. For example:

String url = "jdbc:hive2://node1:10000/default;principal=HiveServer2_principal"
Connection con = DriverManager.getConnection(url);

where the HiveServer2_principal value is the Kerberos principal used by the HiveServer2 process that the client is trying to connect to.

Using LDAP Authentication with HiveServer2

As an alternative to Kerberos authentication, you can configure HiveServer2 to use user and password validation backed by LDAP. In this case, the client sends a user name and password during the connection initiation. HiveServer2 validates these credentials using an external LDAP service.

You can enable LDAP Authentication with HiveServer2 using Active Directory or OpenLDAP.

Enabling LDAP Authentication with HiveServer2 using Active Directory

To enable the LDAP mode of authentication using Active Directory, include the following properties in the hive-site.xml file:

<property>
  <name>hive.server2.authentication</name>
  <value>LDAP</value>
</property>
<property>
  <name>hive.server2.authentication.ldap.url</name>
  <value>LDAP_URL</value>
</property>

where:

  • The LDAP_URL value is the access URL for your LDAP server.

Enabling LDAP Authentication with HiveServer2 using OpenLDAP

To enable the LDAP mode of authentication using OpenLDAP, include the following properties in the hive-site.xmlfile:

<property>
  <name>hive.server2.authentication</name>
  <value>LDAP</value>
</property>
<property>
  <name>hive.server2.authentication.ldap.url</name>
  <value>LDAP_URL</value>
</property>
<property>
  <name>hive.server2.authentication.ldap.baseDN</name>
  <value>LDAP_BaseDN</value>
</property>

where:

  • The LDAP_URL value is the access URL for your LDAP server.
  • The LDAP_BaseDN value is the base LDAP DN for your LDAP server.

Configuring JDBC Clients for LDAP Authentication with HiveServer2

The JDBC client needs to use a connection URL like following -

JDBC-based clients must include user=LDAP_Userid;password=LDAP_Password in the JDBC connection string. For example:

String url = "jdbc:hive2://node1:10000/default;user=LDAP_Userid;password=LDAP_Password"
Connection con = DriverManager.getConnection(url);

where the LDAP_Userid value is the user id and LDAP_Password is the password of the client user.