Pluggable authentication modules in HiveServer

While running in TCP transport mode, HiveServer supports Pluggable Authentication Modules (PAM). Using Pluggable Authentication Modules, you can integrate multiple authentication schemes into a single API.

You use the Cloudera Manager Safety Valve technique on HIVE_ON_TEZ-1 > Configuration to set the following properties:

  • hive.server2.authentication

    Value = CUSTOM

  • hive.server2.custom.authentication.class

    Value = <the pluggable auth class name>

The class you provide must be a proper implementation of the org.apache.hive.service.auth.PasswdAuthenticationProvider. HiveServer calls its Authenticate(user, passed) method to authenticate requests. The implementation can optionally extend the Hadoop's org.apache.hadoop.conf.Configured class to grab the Hive Configuration object.