Configuring ZooKeeper SASL authentication for Hive clients
Learn about how to configure Hive clients to authenticate with a ZooKeeper ensemble that enforces Simple Authentication and Security Layer (SASL).
ZooKeeper client authentication
When a ZooKeeper ensemble is configured to enforce SASL authentication, it ensures that only authenticated clients can establish a session. Without this enforcement, the ZooKeeper server remains open to anonymous client connections.
In Kerberized environments, Hive components such as HiveServer2 (HS2) and the Metastore use ZooKeeper for service discovery, high availability, and locking. While server-side components like HS2 can easily authenticate using a predefined principal and keytab, client-side discovery (such as JDBC or Metastore clients) requires specific configurations to handle different Kerberos login methods, including keytabs or the local ticket cache.
Hive ZooKeeper authentication properties
The following table describes the properties used to manage ZooKeeper authentication for Hive components:
| Property | Description |
|---|---|
| hive.zookeeper.kerberos.enabled | Specifies whether hive beeline/JDBC HS2 uses Kerberos to secure the ZooKeeper connection. This property is evaluated as true only when HS2 is Kerberized. |
Configuring Hive clients for SASL-enforced ZooKeeper
To enable successful authentication when a client connects to a SASL-enforced ZooKeeper ensemble, perform the following:
- Authenticate by using kinit if you are using the ticket cache before running the Hive client.
