Secure HiveServer using LDAP

You can secure the remote client connection to Hive by configuring HiveServer to use authentication with LDAP.

1. Add the following properties to the hive-site.xml file to set the server authentication mode to LDAP.

   <property>
     <name>hive.server2.authentication</name>
       <value>LDAP</value>
   </property>
               
   <property>
    <name>hive.server2.authentication.ldap.url</name>
      <value>LDAP_URL</value>
   </property>

   LDAP_URL is the access URL for your LDAP server. For example, ldap://ldap_host_name@xyz.com:389
2. Add additional properties to the hive-site.xml file, depending on your LDAP service type.
   • Active Directory (AD)
   • Other LDAP service types, such as OpenLDAP
   AD:

   <property>
    <name>hive.server2.authentication.ldap.Domain</name>
       <value>AD_Domain</value>
   </property>

   Where AD_Domain is the domain name of the AD server. For example, corp.domain.com.

   Other LDAP service types:

   <property>
   <name>hive.server2.authentication.ldap.baseDN</name>
      <value>LDAP_BaseDN</value>
   </property>

   Where LDAP_BaseDN is the base LDAP distinguished name for your LDAP server. For example, ou=dev, dc=xyz, dc=com.
3. Test the LDAP authentication by using the Beeline client.
   • If the HiveServer transport mode is binary (hive.server2.transport.mode=binary), use the following syntax:

     beeline>!connect
     jdbc:hive2://node1:<port>/default

   • If the HiveServer2 transport mode is HTTP (hive.server2.transport.mode=http) and the Thrift path is cliservice (hive.server2.thrift.http.path=cliservice), use the following syntax:

     beeline>!connect
     jdbc:hive2://node1:<port>/default;transportMode=http;httpPath=cliservice