hiveserver2 supports multiple authentication modes, such as Kerberos, LDAP, PAM, and customized code. To configure hiveserver2 to use one of these authentication modes, we can set the proper properties in hive_site.xml as follows, and then restart the hiveserver2 service to make it work:
- NONE: None authentication is what's in the default settings. None here means it allows anonymous access using the following setting:
<property> <name>hive.server2.authentication</name> <value>NONE</value> </property>
- KERBEROS: If Kerberos authentication is used, it is used to authenticate between the thrift client and hiveserver2 and hiveserver2 and secured the HDFS. To enable Kerberos authentication for hiveserver2, we can set the following properties by specifying the keytab path and the actual realm name in YOUR-REALM.COM:
<property> <name>hive.server2.authentication</name> <value>KERBEROS</value> </property>
<property> <name>hive.server2.authentication.kerberos.keytab</name> <value>/etc/hive/conf/hive.keytab</value> </property>
<property> <name>hive.server2.authentication.kerberos.principal</name> <value>hive/[email protected]</value> </property>
- LDAP: To configure hiveserver2 to use user and password validation backed by LDAP (see https://en.wikipedia.org/wiki/Lightweight_Directory_Access_Protocol), we can set the following properties:
<property> <name>hive.server2.authentication</name> <value>LDAP</value> </property>
<property> <name>hive.server2.authentication.ldap.url</name> <value>LDAP_URL, such as ldap://[email protected]</value> </property>
<property> <name>hive.server2.authentication.ldap.Domain</name> <value>Domain Name</value> </property>
To configure it with OpenLDAP (https://en.wikipedia.org/wiki/OpenLDAP), we can add the baseDN setting instead of the preceding Domain property, as follows:
<property> <name>hive.server2.authentication.ldap.baseDN</name> <value>LDAP_BaseDN, such as ou=people,dc=packtpub,dc=com</value> </property>
- CUSTOM: This represents the customized authentication provider for hiveserver2. To enable it, configure the settings as follows:
<property> <name>hive.server2.authentication</name> <value>CUSTOM</value> </property>
<property> <name>hive.server2.custom.authentication.class</name> <value>pluggable-auth-class-name</value> <description>Customized authentication class name, such as
com.packtpub.hive.essentials.hiveudf.customAuthenticator </description> </property>
The following is a sample of a customized class that implements the org.apache.hive.service.auth.PasswdAuthenticationProvider interface. The overridden Authenticate(...) method has the core logic of how to authenticate a username and password. Make sure to copy the compiled JAR file to $HIVE_HOME/lib/ so that the preceding settings can work:
// customAuthenticator.java package com.packtpub.hive.essentials.hiveudf; import java.util.Hashtable; import javax.security.sasl.AuthenticationException; import org.apache.hive.service.auth.PasswdAuthenticationProvider; /* * The customized class for hiveserver2 authentication */ public class customAuthenticator implements PasswdAuthenticationProvider { Hashtable<String, String> authHashTable = null; public customAuthenticator () { authHashTable = new Hashtable<String, String>(); authHashTable.put("user1", "passwd1"); authHashTable.put("user2", "passwd2"); } @Override public void Authenticate(String user, String password) throws AuthenticationException { String storedPasswd = authHashTable.get(user); if (storedPasswd != null && storedPasswd.equals(password)) return; throw new AuthenticationException(
"customAuthenticator Exception: Invalid user"); } }
- PAM: Since Hive v0.13.0, Hive supports PAM (Pluggable Authentication Modules) authentication, which provides the benefit of plugging existing authentication mechanisms in to Hive. Configure the following settings to enable PAM authentication. For more information about how to install PAM, please refer to the Setting Up hiveserver2 article in the Hive wiki at https://cwiki.apache.org/confluence/display/Hive/Setting+Up+HiveServer2#SettingUpHiveServer2-PluggableAuthenticationModules(PAM).
<property> <name>hive.server2.authentication</name> <value>PAM</value> </property>
<property> <name>hive.server2.authentication.pam.services</name> <value>pluggable-auth-class-name</value> <description> Set this to a list of comma-separated PAM servicesthat
will be used. Note that a file with the same name as the PAMservice
must exist in /etc/pam.d.</description> </property>