9. Configuring HiveServer2 for LDAP and for LDAP over SSL

HiveServer2 supports authentication with LDAP and LDAP over SSL (LDAPS):

 To configure HiveServer2 to use LDAP:

  1. Add the following properties to the hive-site.xml file to set the server authentication mode to LDAP:

    <property>
         <name>hive.server2.authentication</name>
         <value>LDAP</value>
    </property>
    
    <property>
         <name>hive.server2.authentication.ldap.url</name>
         <value>LDAP_URL</value>
    </property>

    Where LDAP_URL is the access URL for your LDAP server. For example, ldap://ldap_host_name@xyz.com:389.

  2. Depending on whether or not you use Microsoft Active Directory as your directory service, add the following additional properties to the hive-site.xml file:

    • Other LDAP service types including OpenLDAP:

      <property>
           <name>hive.server2.authentication.ldap.baseDN</name>
           <value>LDAP_BaseDN</value>
      </property>

      Where LDAP_BaseDN is the base LDAP distinguished name for your LDAP server. For example, ou=dev, dc=xyz, dc=com.

    • Active Directory (AD):

      <property>
           <name>hive.server2.authentication.ldap.Domain</name>
           <value>AD_Domain</value>
      </property>

      Where AD_Domain is the domain name of the AD server. For example, corp.domain.com.

  3. Test the LDAP authentication. For example, if you are using the Beeline client, type the following commands at the Beeline prompt:

    beeline>!connect
    jdbc:hive2://node1:<port>/default:user=<LDAP_USERID>;password=<LDAP_PASSWORD>

    The Beeline client prompts for the user ID and password again. Enter those values to run the command.

 To configure HiveServer2 to use LDAP over SSL (LDAPS):

To enable Hive and the Beeline client to use LDAPS, perform the following actions.

[Note]Note

Two types of certificates can be used for LDAP over SSL with HiveServer2:

  • CA Certificates, which are digital certificates that are signed by a Certificate Authority (CA).

  • Self-signed certificates.

  1. Configure your server for LDAP as described in Steps 1 and 2 in the previous section, "To configure HiveServer2 to use LDAP."

  2. Depending on which type of certificate you are using, perform one of the following actions:

    • CA certificate:

      If you are using a certificate that is signed by a CA, the certificate is already included in the default Java trustStore located at ${JAVA_HOME}/jre/lib/security/cacerts on all of your nodes. If the CA certificate is not present, you must import the certificate to your Java cacert trustStore using the following command:

      keytool -import -trustcacerts -alias <MyHiveLdaps> 
      -storepass <password> -noprompt -file <myCert>.pem -keystore ${JAVA_HOME}/jre/lib/security/cacerts

      If you want to import the CA certificate into another trustStore location, replace ${JAVA_HOME}/jre/lib/security/cacerts with the cacert location that you want to use.

    • Self-signed certificate:

      If you are using a self-signed digital certificate, you must import it into your Java cacert trustStore. For example, if you want to import the certificate to a Java cacert location of /etc/pki/java/cacerts, use the following command to import your self-signed certificate:

      keytool -import -trustcacerts -alias <MyHiveLdaps> 
      -storepass <password> -noprompt -file <myCert>.pem -keystore /etc/pki/java/cacerts
  3. If your trustStore is not ${JAVA_HOME}/jre/lib/security/cacerts, you must set the HADOOP_OPTS environment variable to point to your CA certificate so that the certificate loads when the HDP platform loads.

    [Note]Note

    There is no need to modify the hadoop-env template if you use the default Java trustStore of ${JAVA_HOME}/jre/lib/security/cacerts.

    To set this in Ambari:

    1. In the list of services on the left, click HDFS.

    2. Select the Configs tab.

    3. On the Configs tab page, select the Advanced tab.

    4. Scroll down, and expand the Advanced hadoop-env section.

    5. Add the following configuration information to the hadoop-env template text box:

      export HADOOP_OPTS="-Djava_net_preferIPv4Stack=true
      =Djavax.net.ssl.trustStore=/etc/pki/java/cacerts 
      -Djavax.net.ssl.trustStorePassword=changeit ${HADOOP_OPTS}"
    6. Click Save.

  4. Restart the HDFS and Hive services.

    To restart these services in Ambari:

    1. Click the service name on the left margin of the page.

    2. On the service page, click Service Actions.

    3. Choose Restart All.

    For more information about restarting components in Ambari, see "Managing Services" in the Ambari User's Guide.

  5. Test the LDAPS authentication. For example, if you are using the Beeline client, type the following commands at the Beeline prompt:

    beeline>!connect jdbc:hive2://node1:10000/default

    The Beeline client prompts for the user ID and password again. Enter those values to run the command.

[Note]Note
  • Components such as Apache Knox and Apache Ranger do not use the hadoop-env.sh.template. The configuration files for these components must be set for LDAPS and manually restarted.

  • Ambari Hive View does not work with LDAP or LDAPS.