Client connections to HiveServer
You can use Beeline, a JDBC, or an ODBC connection to HiveServer.
JDBC Client-HiveServer Authentication
String url = "jdbc:hive2://node1:10000/default;user=LDAP_Userid;password=LDAP_Password" Connection con = DriverManager.getConnection(url);where the LDAP_Userid value is the user ID and LDAP_Password is the password of the client user.
HiveServer modes of operation
CDP Private Cloud Base supports a number of modes for interacting with Hive, including Ranger-based authorization.
Operating Mode | Description |
---|---|
Embedded |
The Beeline client and the Hive installation reside on the same host machine or virtual machine. No TCP connectivity is required. |
Remote |
Use remote mode to support multiple, concurrent clients executing queries against the same remote Hive installation. Remote transport mode supports authentication with LDAP and Kerberos. It also supports encryption with SSL. TCP connectivity is required. |
Transport Modes
As administrator, you can start HiveServer in one of the following transport modes:
Transport Mode | Description |
---|---|
TCP |
HiveServer uses TCP transport for sending and receiving Thrift RPC messages. |
HTTP |
HiveServer uses HTTP transport for sending and receiving Thrift RPC messages. |
Pluggable Authentication Modules in HiveServer
While running in TCP transport mode, HiveServer supports Pluggable Authentication Modules (PAM). Using Pluggable Authentication Modules, you can integrate multiple authentication schemes into a single API. You use the Cloudera Manager Safety Valve technique on
to set the following properties:hive.server2.authentication
Value = CUSTOM
hive.server2.custom.authentication.class
Value = <the pluggable auth class name>
The class you provide must be a proper implementation of the
org.apache.hive.service.auth.PasswdAuthenticationProvider
. HiveServer calls
its Authenticate(user, passed)
method to authenticate requests. The
implementation can optionally extend the Hadoop's
org.apache.hadoop.conf.Configured
class to grab the Hive
Configuration object.
HiveServer Trusted Delegation
HiveServer determines the identity of the connecting user from the authentication subsystem (Kerberos or LDAP). Any new session started for this connection runs on behalf of this connecting user. If the server is configured to proxy the user, the identity of the connecting user is used to connect to Hive. Users with Hadoop superuser privileges can request an alternate user for the given session. HiveServer checks that the connecting user can proxy the requested userid, and if so, runs the new session as the alternate user.