Cloudera Docs

Providing the Hive password through an alias in a file

Learn how you can use an alias stored in a file to represent the Hive password during Sqoop-Hive import processes when LDAP authentication is enabled.

The Hive password is stored in a Credential Provider facility and is associated with the alias. During the import, Sqoop resolves the alias from the file and uses the linked password.

  1. Using the CredentialProvider API, store the Hive password in a user specified provider path and associate it with an alias. 
    /opt/cloudera/parcels/CDH/lib/hadoop/bin/hadoop credential \
  create sqoophive.password.alias \
  -value guest-password \
  -provider jceks://hdfs/user/hive/sqoophivepasswd.jceks
  2. Create a file containing the alias that you created in the previous step. Ensure to set '400' permission on the file so that only the user or owner of the file has read permissions.
    You can save this file either in a local file system or on HDFS.
  3. Add the provider path property in the Sqoop import command pointing to the credential provider URI that should be considered while resolving the credential alias.
    -D hadoop.security.credential.provider.path=<***PROVIDER PATH***>
    -D hadoop.security.credential.provider.path=jceks://hdfs/user/hive/sqoophivepasswd.jceks \
  4. Include the following argument in the Sqoop import command to ensure that the content of the file you created will be handled as an alias.
    -D org.apache.sqoop.credentials.loader.class=org.apache.sqoop.util.password.CredentialProviderPasswordLoader
  5. While creating the Sqoop import command, specify the --hive-password-file argument along with the path of the alias file you created earlier. 
    /opt/cloudera/parcels/CDH/bin/sqoop import \
  -Dsqoop.beeline.env.preserve=KRB5CCNAME \
  -D hadoop.security.credential.provider.path=jceks://hdfs/user/hive/sqoophivepasswd.jceks \
  -D org.apache.sqoop.credentials.loader.class=org.apache.sqoop.util.password.CredentialProviderPasswordLoader
  --connection-manager org.apache.sqoop.manager.PostgresqlManager \
  --connect "jdbc:postgresql://db.foo.com:5432/employees" \
  --username [***USERNAME***] \
  --password [***PASSWORD***] \
  --table employees \
  --warehouse-dir \
  /user/hrt_qa/test-sqoop \
  --hive-import \
  --delete-target-dir \
  --hive-overwrite \
  --external-table-dir hdfs:///warehouse/tablespace/external/hive/employees \
  --hs2-url "jdbc:hive2://[***HOST***]:[***PORT***];serviceDiscoveryMode=zooKeeper;zooKeeperNamespace=hiveserver2;transportMode=http;httpPath=cliservice;ssl=true;sslTrustStore=[***TRUSTSTORE PATH***];trustStorePassword=[***TRUSTSTORE PASSWORD***]" \
  --hive-user guest \
  --hive-password-file /user/hrt_qa/hivepasswd-storefile \
  -m 1