This is documentation for MapR Version 5.0. You can also refer to MapR documentation for the latest release.

Skip to end of metadata
Go to start of metadata

You can configure authentication for in-bound client connection to HiveServer2.  Clients of HiveServer 2 include beeline and odbc/jdbc client applications. 

Credentials are submitted from the HiveServer2 clients to HiveServer2 as plain text. To secure the credential transmission, MapR supports SSL encryption for HiveServer2. For information about how to configure encryption, see Hive Encryption.

HiveServer2 supports the following authentication methods:

MapR-SASL Authentication

Icon

MapR-SASL is available starting with the 1504 release of Hive 0.13 and Hive 1.0. However, the configuration requirements for MapR-SASL differ based on the version of Hive that you have installed:

  • As of Hive 0.13-1510, Hive 1.0-1510, and Hive 1.2-1510, MapR-SASL and PAM are enabled by default on a secure cluster; no configuration is required. Complete the steps below if you want HiveServer2 to only accept MapR-SASL authentication.
  • In Hive 0.13-1508 and Hive 1.0-1508, MapR-SASL is not the default and must be configured. 
  • In Hive 0.13-1504 and Hive 1.0-1504, MapR-SASL is the default authentication method when the cluster is secure. No configuration is required.
  1. Configure the following property in hive-site.xml on each node where HiveServer2 is installed: 

    PropertyValue

    hive.server2.authentication

    MAPRSASL

  2. Restart HiveServer2 to apply these changes. 

LDAP Authentication using OpenLDAP 

  1. Configure the following properties in the hive-site.xml file on each node where HiveServer2 is installed: 

    PropertyValue
    hive.server2.authentication
    LDAP
    hive.server2.authentication.ldap.url
    <The access URL for your LDAP server>
    hive.server2.authentication.ldap.baseDN
    <The base LDAP DN for your LDAP server. For example, ou=People,dc=mycompany,dc=com.>
  2. Restart HiveServer2 to apply these changes. 

Pluggable Access Modules (PAM) Authentication 

Icon

The configuration requirements for PAM differ based on the version of Hive that you have installed:

  • As of Hive 0.13-1501, Hive 1.0-1510, and Hive 1.2-1510, MapR-SASL and PAM are enabled by default on a secure cluster; no configuration is required. 
  • In Hive 0.13-1508 and Hive 1.0-1508, PAM is the default authentication method for HiveServer2 on a secure cluster; no configuration is required.
  • In Hive 0.13-1504 and Hive 1.0-1504, PAM is not the default authentication method and therefore it requires the following configuration steps.
  1. Configure the following properties in the hive-site.xml on the hiveserver2 node:

    PropertyValue
    hive.server2.authentication
    PAM
    hive.server2.authentication.pam.services
    <A comma-separated list of pam module>
  2. Restart HiveServer2 to apply these changes. 

Custom Authentication 

You can configure HiveServer2 to use custom authentication.

  1. Create a custom Authenticator class derived from the following interface:

    The attached SampleAuthenticator.java code has an example implementation that has stored usernames and passwords.

  2. Configure the following properties in the hive-site.xml file on each node where HiveServer2 is installed: 

    PropertyValue
    hive.server2.authentication
    CUSTOM
    hive.server2.custom.authentication.class
    <The authentication class name. For example,
    hive.server2.custom.authentication.class>
  3. Restart Hiveserver2 to apply the changes: 

Kerberos Authentication  

You can configure HiveServer2 to use Kerberos authentication.

Icon
MapR clusters do not provide Kerberos infrastructure. The tips in this section assume a Linux-based Kerberos environment, and the specific commands for your environment may vary. Consult with your Kerberos administrator for assistance.

Configuring HiveServer 2 to use Kerberos

Enabling HiveServer to use Kerberos authentication requires following steps on each node where HiveServer 2 is installed:

  1. Create a Kerberos Identity and keytab.
    You can use the following commands in a Linux-based Kerberos environment to set up the identity and update the keytab file:

    The hive.keytab file must be owned and readable only by the mapr user.

     

  2. Configure the following properties in hive-site.xml on each node where hiveserver2 is installed:

    PropertyValue

    hive.server2.authentication

    KERBEROS

    hive.server2.authentication.kerberos.principal

    <HiveServer2 Principle. For example, mapr/FQDN@REALM>

    hive.server2.authentication.kerberos.keytab

    <The keytab file for the HiverServer2 principle. For example, /opt/mapr/conf/hive.keytab>
  3. Reconfigure following options in env.sh (/opt/mapr/conf/env.sh) on each node where hiveserver2 is installed:

    Existing ConfigurationRequired Configuration

    MAPR_HIVE_SERVER_LOGIN_OPTS="-Dhadoop.login=maprsasl_keytab"
    MAPR_HIVE_LOGIN_OPTS="-Dhadoop.login=maprsasl"

    MAPR_HIVE_SEVER_LOGIN_OPTS="-Dhadoop.login=hybrid"
    MAPR_HIVE_LOGIN_OPTS="-Dhadoop.login=hybrid" 
    Icon
    These configuration are listed in the portion of the file that begins with if [ "$MAPR_SECURITY_STATUS" = "true" ]; 
  4. Restart HiveServer2 to apply these changes. 

Configuring HiveServer 2 Clients to use Kerberos when Authenticating with HiveServer2

  • On each node where HiveServer2 clients (not including Beeline) are installed, reconfigure the following option in env.sh (/opt/mapr/conf/env.sh):

    Existing ConfigurationRequired Configuration

    MAPR_HIVE_LOGIN_OPTS="-Dhadoop.login=maprsasl"

    MAPR_HIVE_LOGIN_OPTS="-Dhadoop.login=hybrid" 
    Icon
    This configuration is listed in the portion of the file that begins with if [ "$MAPR_SECURITY_STATUS" = "true" ]; 
  • On each node where Beeline is installed, reconfigure the following option in beeline.sh ($hive_home/bin/ext/beeline.sh):

    Existing ConfigurationRequired Configuration

    HADOOP_OPTS="$HADOOP_OPTS${MAPR_HIVE_LOGIN_OPTS}"

    HADOOP_OPTS="$HADOOP_OPTS${KERBEROS_LOGIN_OPTS}" 

For more information, see Connecting to Hive.

Icon
The MAPR_HIVE_LOGIN_OPTS and MAPR_HIVE_SERVER_LOGIN_OPTS were added in 1504 release of Hive 0.13 and Hive 1.0. If you have Hive 0.13 from a prior release, you do not need to configure these properties. Instead, set MAPR_ECOSYSTEM_LOGIN_OPTS and MAPR_ECOSYSTEM_SERVER_LOGIN_OPTS to "-Dhadoop.login=hybrid" in /opt/mapr/conf/env.sh.
  • No labels