Secure HiveServer using LDAP
You can secure the remote client connection to Hive by configuring HiveServer to use authentication with LDAP.
-
Add the following properties to the
hive-site.xml
file to set the server authentication mode to LDAP.<property> <name>hive.server2.authentication</name> <value>LDAP</value> </property> <property> <name>hive.server2.authentication.ldap.url</name> <value>LDAP_URL</value> </property>
LDAP_URL
is the access URL for your LDAP server. For example,ldap://ldap_host_name@xyz.com:389
-
Add additional properties to the
hive-site.xml
file, depending on your LDAP service type.- Active Directory (AD)
- Other LDAP service types, such as OpenLDAP
AD:<property> <name>hive.server2.authentication.ldap.Domain</name> <value>AD_Domain</value> </property>
Where
AD_Domain
is the domain name of the AD server. For example,corp.domain.com
.Other LDAP service types:
Where<property> <name>hive.server2.authentication.ldap.baseDN</name> <value>LDAP_BaseDN</value> </property>
LDAP_BaseDN
is the base LDAP distinguished name for your LDAP server. For example,ou=dev, dc=xyz, dc=com
. -
Test the LDAP authentication by using the Beeline client.
- If the HiveServer transport mode is binary
(hive.server2.transport.mode=binary), use the following syntax:
beeline>!connect jdbc:hive2://node1:<port>/default
- If the HiveServer2 transport mode is HTTP
(
hive.server2.transport.mode=http
) and the Thrift path is cliservice (hive.server2.thrift.http.path=cliservice
), use the following syntax:beeline>!connect jdbc:hive2://node1:<port>/default;transportMode=http;httpPath=cliservice
- If the HiveServer transport mode is binary
(hive.server2.transport.mode=binary), use the following syntax: