[repost ]Hive MetaStoreServer Security Configuration



This section describes how to configure security for Hive MetaStoreServer. If you are using Hive Server2, seeHive Server2 Security Configuration.

Here is a summary of Hive MetaStoreServer security in CDH4:

  • No additional configuration is required to run Hive on top of a security-enabled Hadoop cluster in standalone mode using a local or embedded MetaStore.
  • HiveServer does not support Kerberos authentication for clients. While it is possible to run HiveServer with a secured Hadoop cluster, doing so creates a security hole since HiveServer does not authenticate the Thrift clients that connect to it. Instead, you can use Hive Server2 Hive Server2 Security Configuration.
  • The Hive MetaStoreServer supports Kerberos authentication for Thrift clients. For example, you can configure a standalone Hive MetaStoreServer instance to force clients to authenticate with Kerberos by setting the following properties in the hive-site.xml configuration file used by the MetaStore server:
  <description>If true, the metastore thrift interface will be secured with SASL. Clients must authenticate with Kerberos.</description>
  <description>The path to the Kerberos Keytab file containing the metastore thrift server's service principal.</description>
  <description>The service principal for the metastore thrift server. The special string _HOST will be replaced automatically with the correct host name.</description>
The values shown above for the hive.metastore.kerberos.keytab.file andhive.metastore.kerberos.principal properties are examples which you will need to replace with the appropriate values for your cluster. Also note that the Hive keytab file should have its access permissions set to600 and be owned by the same account that is used to run the Metastore server, which is the hive user by default.