Securing Apache Hive
Also available as:
PDF

Secure HiveServer using LDAP over SSL

You can secure the remote client connection to Hive by configuring HiveServer to use authentication with LDAP over SSL (LDAPS).

Two types of certificates can be used for LDAP over SSL with HiveServer2:

  • CA Certificates, which are digital certificates that are signed by a Certificate Authority (CA)

  • Self-signed certificates

  1. Add the LDAP authentication property and URL property to the hive-site.xml file to set the server authentication mode to LDAP:
    <property>
       <name>hive.server2.authentication</name>
          <value>LDAP</value>
    </property>
                      
    <property>
       <name>hive.server2.authentication.ldap.url</name>
         <value>LDAP_URL</value>
    </property>

    The LDAP_URL is the access URL for your LDAP server. For example, ldap://ldap_host_name@xyz.com:389.

  2. Add additional properties to the hive-site.xml file:
    • If you use Active Directory (AD):
      <property>
        <name>hive.server2.authentication.ldap.Domain</name>
          <value>AD_Domain</value>
      </property>

      Where AD_Domain is the domain name of the AD server. For example, corp.domain.com.

    • If you use other LDAP service types including OpenLDAP:
      <property>
         <name>hive.server2.authentication.ldap.baseDN</name>
           <value>LDAP_BaseDN</value>
      </property>

      Where LDAP_BaseDN is the base LDAP distinguished name for your LDAP server. For example, ou=dev, dc=xyz, dc=com.

  3. Depending on which type of certificate you are using, perform one of the following actions:
    • CA certificate: If you are using a certificate that is signed by a CA, the certificate is already included in the default Java trustStore located at ${JAVA_HOME}/jre/lib/security/cacerts on all of your nodes. If the CA certificate is not present, you must import the certificate to your Java cacert trustStore using the following command:
      keytool -import -trustcacerts -alias <MyHiveLdaps> -storepass <password> -noprompt -file <myCert>.pem -keystore ${JAVA_HOME}/jre/lib/security/cacerts
      If you want to import the CA certificate into another trustStore location, replace ${JAVA_HOME}/jre/lib/security/cacerts with the cacert location that you want to use.
    • Self-signed certificate: If you are using a self-signed digital certificate, you must import it into your Java cacert trustStore. For example, if you want to import the certificate to a Java cacert location of /etc/pki/java/cacerts, use the following command to import your self-signed certificate:
      keytool -import -trustcacerts -alias <MyHiveLdaps> -storepass <password> -noprompt -file <myCert>.pem -keystore /etc/pki/java/cacerts                 
  4. If your trustStore is not ${JAVA_HOME}/jre/lib/security/cacerts, you must set the HADOOP_OPTS environment variable to point to your CA certificate so that the certificate loads when the HDP platform loads. There is no need to modify the hadoop-env template if you use the default Java trustStore of ${JAVA_HOME}/jre/lib/security/cacerts.
    1. In Ambari, In the list of services on the left, click HDFS.
    2. On the Configs tab, select Advanced.
    3. Scroll down, and expand the Advanced hadoop-env section.
    4. Add the configuration information to the hadoop-env template text box.
      export HADOOP_OPTS="-Djava_net_preferIPv4Stack=true
                          -Djavax.net.ssl.trustStore=/etc/pki/java/cacerts 
                          -Djavax.net.ssl.trustStorePassword=changeit ${HADOOP_OPTS}"
    5. Click Save.
  5. Restart the HDFS and Hive services.
  6. Test the LDAPS authentication.
    beeline>!connect jdbc:hive2://node1:10000/default
    Components such as Apache Knox and Apache Ranger do not use the hadoop-env.sh template. The configuration files for these components must be set for LDAPS and manually restarted.
    The Beeline client prompts for the user ID and password.