Hive Authentication

HiveServer supports authentication of clients using Kerberos or user/password validation backed by LDAP.

If you configure HiveServer to use Kerberos authentication, HiveServer acquires a Kerberos ticket during startup. HiveServer requires a principal and keytab file specified in the configuration. Client applications (for example, JDBC or Beeline) must have a valid Kerberos ticket before initiating a connection to HiveServer2. JDBC-based clients must include principal=<hive.server2.authentication.principal> in the JDBC connection string. For example:
String url = "jdbc:hive2://node1:10000/default;principal=hive/HiveServerHost@YOUR-REALM.COM"
Connection con = DriverManager.getConnection(url);
where hive is the principal configured in hive-site.xml and HiveServerHost is the host where HiveServer is running.

To start Beeline and connect to a secure HiveServer, enter a command as shown in the following example:

beeline -u "jdbc:hive2://;principal=hive/_HOST@CLOUDERA.SITE"

In CDP Private Cloud Base, under certain circumstances, you can query remote clusters that use a different version of Hive than the version installed on your cluster. You can query the data on the remote cluster and include WRITE operations from the local cluster.

Examples of Supported Queries

CREATE TABLE orders_ctas AS SELECT * FROM orders_ext;
INSERT INTO orders_ctas SELECT * FROM orders_ext;
INSERT OVERWRITE TABLE orders_ctas SELECT * FROM orders_ext;