Hiveserver2 authentication

hiveserver2 supports multiple authentication modes, such as Kerberos, LDAP, PAM, and customized code. To configure hiveserver2 to use one of these authentication modes, we can set the proper properties in hive_site.xml as follows, and then restart the hiveserver2 service to make it work:

NONE: None authentication is what's in the default settings. None here means it allows anonymous access using the following setting:

      <property>
      <name>hive.server2.authentication</name>
      <value>NONE</value>
      </property>

KERBEROS: If Kerberos authentication is used, it is used to authenticate between the thrift client and hiveserver2 and hiveserver2 and secured the HDFS. To enable Kerberos authentication for hiveserver2, we can set the following properties by specifying the keytab path and the actual realm name in YOUR-REALM.COM:

      <property>
      <name>hive.server2.authentication</name>
      <value>KERBEROS</value>
      </property>
      
      <property>
      <name>hive.server2.authentication.kerberos.keytab</name>
      <value>/etc/hive/conf/hive.keytab</value>
      </property>
      
      <property>
      <name>hive.server2.authentication.kerberos.principal</name>
      <value>hive/[email protected]</value>
      </property>

Once Kerberos is enabled, the JDBC client (such as Beeline) must include the principal parameter in the JDBC connection string, such as jdbc:hive2://hiveserver2host:10000/default;principal=hive/_HOST@REALM. For more examples of the supported connection string syntax, refer to https://community.hortonworks.com/articles/4103/hiveserver2-jdbc-connection-url-examples.html.

LDAP: To configure hiveserver2 to use user and password validation backed by LDAP (see https://en.wikipedia.org/wiki/Lightweight_Directory_Access_Protocol), we can set the following properties:

      <property>
      <name>hive.server2.authentication</name>
      <value>LDAP</value>
      </property>
      
      <property>
      <name>hive.server2.authentication.ldap.url</name>
      <value>LDAP_URL, such as ldap://[email protected]</value>
      </property>
      
      <property>
      <name>hive.server2.authentication.ldap.Domain</name>
      <value>Domain Name</value>
      </property>

To configure it with OpenLDAP (https://en.wikipedia.org/wiki/OpenLDAP), we can add the baseDN setting instead of the preceding Domain property, as follows:

<property>
<name>hive.server2.authentication.ldap.baseDN</name>
<value>LDAP_BaseDN, such as ou=people,dc=packtpub,dc=com</value>
</property>

CUSTOM: This represents the customized authentication provider for hiveserver2. To enable it, configure the settings as follows:

      <property>
      <name>hive.server2.authentication</name>
      <value>CUSTOM</value>
      </property>
      
      <property>
      <name>hive.server2.custom.authentication.class</name>
      <value>pluggable-auth-class-name</value>
      <description>Customized authentication class name, such as 
      com.packtpub.hive.essentials.hiveudf.customAuthenticator
      </description>
      </property>

Pluggable authentication with a customized class did not work until the bug (see https://issues.apache.org/jira/browse/HIVE-4778) was fixed in Hive v0.13.0.

The following is a sample of a customized class that implements the org.apache.hive.service.auth.PasswdAuthenticationProvider interface. The overridden Authenticate(...) method has the core logic of how to authenticate a username and password. Make sure to copy the compiled JAR file to $HIVE_HOME/lib/ so that the preceding settings can work:

// customAuthenticator.java
package com.packtpub.hive.essentials.hiveudf;

import java.util.Hashtable;
import javax.security.sasl.AuthenticationException;
import org.apache.hive.service.auth.PasswdAuthenticationProvider;

/*
 * The customized class for hiveserver2 authentication
 */

public class customAuthenticator implements PasswdAuthenticationProvider {

  Hashtable<String, String> authHashTable = null;

  public customAuthenticator () {
       authHashTable = new Hashtable<String, String>();
       authHashTable.put("user1", "passwd1");
       authHashTable.put("user2", "passwd2");
  }

  @Override
  public void Authenticate(String user, String password)
            throws AuthenticationException {

    String storedPasswd = authHashTable.get(user);

    if (storedPasswd != null && storedPasswd.equals(password))
         return;

    throw new AuthenticationException(
    "customAuthenticator Exception: Invalid user");
  }
}

PAM: Since Hive v0.13.0, Hive supports PAM (Pluggable Authentication Modules) authentication, which provides the benefit of plugging existing authentication mechanisms in to Hive. Configure the following settings to enable PAM authentication. For more information about how to install PAM, please refer to the Setting Up hiveserver2 article in the Hive wiki at https://cwiki.apache.org/confluence/display/Hive/Setting+Up+HiveServer2#SettingUpHiveServer2-PluggableAuthenticationModules(PAM).

      <property>
      <name>hive.server2.authentication</name>
      <value>PAM</value>
      </property>
      
      <property>
      <name>hive.server2.authentication.pam.services</name>
      <value>pluggable-auth-class-name</value>
      <description> Set this to a list of comma-separated PAM servicesthat 
      will be used. Note that a file with the same name as the PAMservice 
      must exist in /etc/pam.d.</description>
      </property>

Table of Contents for Hiveserver2 authentication

Create new playlist

Sign In

Sign Up

Table of Contents for
Hiveserver2 authentication