Secure HiveServer using LDAP over SSL
You can secure the remote client connection to Hive by configuring HiveServer to use authentication with LDAP over SSL (LDAPS).
Two types of certificates can be used for LDAP over SSL with HiveServer2:
-
CA Certificates, which are digital certificates that are signed by a Certificate Authority (CA)
-
Self-signed certificates
-
Add the LDAP authentication property and URL property to the
hive-site.xml
file to set the server authentication mode to LDAP:<property> <name>hive.server2.authentication</name> <value>LDAP</value> </property> <property> <name>hive.server2.authentication.ldap.url</name> <value>LDAP_URL</value> </property>
The
LDAP_URL
is the access URL for your LDAP server. For example,ldap://ldap_host_name@xyz.com:389
. -
Add additional properties to the
hive-site.xml
file:- If you use Active Directory (AD):
<property> <name>hive.server2.authentication.ldap.Domain</name> <value>AD_Domain</value> </property>
Where
AD_Domain
is the domain name of the AD server. For example,corp.domain.com
. - If you use other LDAP service types including
OpenLDAP:
<property> <name>hive.server2.authentication.ldap.baseDN</name> <value>LDAP_BaseDN</value> </property>
Where
LDAP_BaseDN
is the base LDAP distinguished name for your LDAP server. For example,ou=dev, dc=xyz, dc=com
.
- If you use Active Directory (AD):
-
Depending on which type of certificate you are using, perform one of the following
actions:
- CA certificate: If you are using a certificate that is signed by a CA, the
certificate is already included in the default Java trustStore located at
${JAVA_HOME}/jre/lib/security/cacerts
on all of your nodes. If the CA certificate is not present, you must import the certificate to your Javacacert
trustStore using the following command:
If you want to import the CA certificate into another trustStore location, replacekeytool -import -trustcacerts -alias <MyHiveLdaps> -storepass <password> -noprompt -file <myCert>.pem -keystore ${JAVA_HOME}/jre/lib/security/cacerts
${JAVA_HOME}/jre/lib/security/cacerts
with thecacert
location that you want to use. - Self-signed certificate: If you are using a self-signed digital certificate,
you must import it into your Java
cacert
trustStore. For example, if you want to import the certificate to a Javacacert
location of/etc/pki/java/cacerts
, use the following command to import your self-signed certificate:keytool -import -trustcacerts -alias <MyHiveLdaps> -storepass <password> -noprompt -file <myCert>.pem -keystore /etc/pki/java/cacerts
- CA certificate: If you are using a certificate that is signed by a CA, the
certificate is already included in the default Java trustStore located at
-
If your trustStore is not
${JAVA_HOME}/jre/lib/security/cacerts
, you must set theHADOOP_OPTS
environment variable to point to your CA certificate so that the certificate loads when the HDP platform loads. There is no need to modify thehadoop-env
template if you use the default Java trustStore of${JAVA_HOME}/jre/lib/security/cacerts
.- In Ambari, In the list of services on the left, click HDFS.
- On the Configs tab, select Advanced.
- Scroll down, and expand the Advanced hadoop-env section.
-
Add the configuration information to the hadoop-env template text box.
export HADOOP_OPTS="-Djava_net_preferIPv4Stack=true -Djavax.net.ssl.trustStore=/etc/pki/java/cacerts -Djavax.net.ssl.trustStorePassword=changeit ${HADOOP_OPTS}"
- Click Save.
- Restart the HDFS and Hive services.
-
Test the LDAPS authentication.
beeline>!connect jdbc:hive2://node1:10000/default
Components such as Apache Knox and Apache Ranger do not use the hadoop-env.sh template. The configuration files for these components must be set for LDAPS and manually restarted.The Beeline client prompts for the user ID and password.