Configuring HiveServer2 for LDAP and for LDAP over SSL
HiveServer2 supports authentication with LDAP and LDAP over SSL (LDAPS). The following topics cover configuration:
To configure HiveServer2 to use LDAP
To configure HiveServer2 to use LDAP over SSL (LDAPS)
To configure HiveServer2 to use LDAP:
Add the following properties to the
hive-site.xml
file to set the server authentication mode to LDAP:<property> <name>hive.server2.authentication</name> <value>LDAP</value> </property> <property> <name>hive.server2.authentication.ldap.url</name> <value>LDAP_URL</value> </property>
Where
LDAP_URL
is the access URL for your LDAP server. For example,ldap://ldap_host_name@xyz.com:389
.Depending on whether or not you use Microsoft Active Directory as your directory service, add the following additional properties to the
hive-site.xml
file:Other LDAP service types including OpenLDAP:
<property> <name>hive.server2.authentication.ldap.baseDN</name> <value>LDAP_BaseDN</value> </property>
Where
LDAP_BaseDN
is the base LDAP distinguished name for your LDAP server. For example,ou=dev, dc=xyz, dc=com
.Active Directory (AD):
<property> <name>hive.server2.authentication.ldap.Domain</name> <value>AD_Domain</value> </property>
Where
AD_Domain
is the domain name of the AD server. For example,corp.domain.com
.
Test the LDAP authentication. For example, if you are using the Beeline client, type the following commands at the Beeline prompt:
beeline>!connect jdbc:hive2://node1:<port>/default
The Beeline client prompts for the user ID and password.
To configure HiveServer2 to use LDAP over SSL (LDAPS):
To enable Hive and the Beeline client to use LDAPS, perform the following actions.
Note | |
---|---|
Two types of certificates can be used for LDAP over SSL with HiveServer2:
|
Add the following properties to the
hive-site.xml
file to set the server authentication mode to LDAP:<property> <name>hive.server2.authentication</name> <value>LDAP</value> </property> <property> <name>hive.server2.authentication.ldap.url</name> <value>LDAP_URL</value> </property>
Where
LDAP_URL
is the access URL for your LDAP server. For example,ldap://ldap_host_name@xyz.com:389
.Depending on whether or not you use Microsoft Active Directory as your directory service, add the following additional properties to the
hive-site.xml
file:Other LDAP service types including OpenLDAP:
<property> <name>hive.server2.authentication.ldap.baseDN</name> <value>LDAP_BaseDN</value> </property>
Where
LDAP_BaseDN
is the base LDAP distinguished name for your LDAP server. For example,ou=dev, dc=xyz, dc=com
.Active Directory (AD):
<property> <name>hive.server2.authentication.ldap.Domain</name> <value>AD_Domain</value> </property>
Where
AD_Domain
is the domain name of the AD server. For example,corp.domain.com
.
Depending on which type of certificate you are using, perform one of the following actions:
CA certificate:
If you are using a certificate that is signed by a CA, the certificate is already included in the default Java trustStore located at
${JAVA_HOME}/jre/lib/security/cacerts
on all of your nodes. If the CA certificate is not present, you must import the certificate to your Javacacert
trustStore using the following command:keytool -import -trustcacerts -alias <MyHiveLdaps> -storepass <password> -noprompt -file <myCert>.pem -keystore ${JAVA_HOME}/jre/lib/security/cacerts
If you want to import the CA certificate into another trustStore location, replace
${JAVA_HOME}/jre/lib/security/cacerts
with thecacert
location that you want to use.Self-signed certificate:
If you are using a self-signed digital certificate, you must import it into your Java
cacert
trustStore. For example, if you want to import the certificate to a Javacacert
location of/etc/pki/java/cacerts
, use the following command to import your self-signed certificate:keytool -import -trustcacerts -alias <MyHiveLdaps> -storepass <password> -noprompt -file <myCert>.pem -keystore /etc/pki/java/cacerts
If your trustStore is not
${JAVA_HOME}/jre/lib/security/cacerts
, you must set theHADOOP_OPTS
environment variable to point to your CA certificate so that the certificate loads when the HDP platform loads.Note There is no need to modify the
hadoop-env
template if you use the default Java trustStore of${JAVA_HOME}/jre/lib/security/cacerts
.To set this in Ambari:
In the list of services on the left, click HDFS.
Select the Configs tab.
On the Configs tab page, select the Advanced tab.
Scroll down, and expand the Advanced hadoop-env section.
Add the following configuration information to the hadoop-env template text box:
export HADOOP_OPTS="-Djava_net_preferIPv4Stack=true -Djavax.net.ssl.trustStore=/etc/pki/java/cacerts -Djavax.net.ssl.trustStorePassword=changeit ${HADOOP_OPTS}"
Click Save.
Restart the HDFS and Hive services.
To restart these services in Ambari:
Click the service name on the left margin of the page.
On the service page, click Service Actions.
Choose Restart All.
For more information about restarting components in Ambari, see "Managing Services" in the Ambari User's Guide.
Test the LDAPS authentication. For example, if you are using the Beeline client, type the following commands at the Beeline prompt:
beeline>!connect jdbc:hive2://node1:10000/default
The Beeline client prompts for the user ID and password.
Note | |
---|---|
|