Securing Apache Hive
Also available as:
PDF

Connections to Apache Hive

You can use Beeline, a JDBC, or an ODBC connection to HiveServer.

HiveServer modes of operation

HDP 3.0 supports a number of modes for interacting with Hive, including Ranger-based authorization.

Table 1. HiveServer modes of operation
Operating Mode Description

Embedded

The Beeline client and the Hive installation reside on the same host machine. No TCP connectivity is required.

Remote

Use remote mode to support multiple, concurrent clients executing queries against the same remote Hive installation. Remote transport mode supports authentication with LDAP and Kerberos. It also supports encryption with SSL. TCP connectivity is required.

Transport Modes

As administrator, you can start HiveServer in one of the following transport modes:

Table 2. HiveServer2 Transport Modes
Transport Mode Description

TCP

HiveServer uses TCP transport for sending and receiving Thrift RPC messages.

HTTP

HiveServer uses HTTP transport for sending and receiving Thrift RPC messages.

Authentication in HiveServer

While running in TCP transport mode, HiveServer supports the following authentication schemes:

Table 3. Authentication Schemes with TCP Transport Mode
Authentication Scheme Description

Kerberos

A network authentication protocol which operates that uses the concept of 'tickets' to allow nodes in a network to securely identify themselves. Administrators must specify hive.server2.authentication=kerberos in the hive-site.xml configuration file to use this authentication scheme.

LDAP

The Lightweight Directory Access Protocol, an application-layer protocol that uses the concept of 'directory services' to share information across a network. Administrators must specify hive.server2.authentication=ldap in the hive-site.xml configuration file to use this type of authentication.

PAM

Pluggable Authentication Modules, or PAM, allow administrators to integrate multiple authentication schemes into a single API. Administrators must specify hive.server2.authentication=pam in the hive-site.xml configuration file to use this authentication scheme.

Custom

Authentication provided by a custom implementation of the org.apache.hive.service.auth.PasswdAuthenticationProvider interface. The implementing class must be available in the classpath for HiveServer and its name provided as the value of the hive.server2.custom.authentication.class property in the hive-site.xml configuration property file.

None

The Beeline client performs no authentication with HiveServer2. Administrators must specify hive.server2.authentication=none in the hive-site.xml configuration file to use this authentication scheme.