Securing HiveServer using LDAP

You can secure the remote client connection to Hive by configuring HiveServer to use authentication with LDAP.

When you configure HiveServer to use user and password validation backed by LDAP, the Hive client sends a username and password during connection initiation. HiveServer validates these credentials using an external LDAP service. You can enable LDAP Authentication with HiveServer using Active Directory or OpenLDAP.
  1. In Cloudera Manager, select Hive-on-Tez > Configuration .
  2. Search for ldap.
  3. Check Enable LDAP Authentication for HiveServer2 for Hive (Service Wide).
  4. Enter your LDAP URL in the format ldap[s]://<host>:<port>.
    LDAP_URL is the access URL for your LDAP server. For example, ldap://ldap_host_name.xyz.com:389
  5. Enter the Active Directory Domain or LDAP Base DN for your environment.
    • Active Directory (AD)
    • LDAP_BaseDN
    Enter the domain name of the AD server. For example, corp.domain.com.
    Enter the base LDAP distinguished name (DN) for your LDAP server. For example, ou=dev, dc=xyz.
  6. Click Save Changes.
  7. Restart the Hive service.
  8. Construct the LDAP connection string to connect to HiveServer.
    The following simple example is insecure because it sends clear text passwords.
    String URL = "jdbc:hive2://node1:10000/default;user=LDAP_Userid;password=LDAP_Password" 
    Connection con = DriverManager.getConnection(url); 

    The following example shows a secure connection string that uses encrypted passwords.

    String url ="jdbc:hive2://node1:10000/default;ssl=true;sslTrustStore=/mytruststore_path;trustStorePassword=my_truststore_password"
    Connection con = DriverManager.getConnection(url); 
    For information about encrypting communication, see links below.