2.2.3. Configure secure Hive

Hive Metastore supports Kerberos authentication for Thrift clients only. HiveServer does not support Kerberos authentication for any clients.

Edit the HIVE_CONF_DIR/hive-site.xml file on your Hive Metastore host machine to modify the following properties:

<property>    
        <name>hive.metastore.sasl.enabled</name>    
        <value>true</value>    
        <description>If true, the metastore thrift interface will be secured with
        SASL.     
        Clients must authenticate with Kerberos.</description>  
</property>    

<property>    
        <name>hive.metastore.kerberos.keytab.file</name>    
        <value>/etc/security/keytabs/hive.service.keytab</value>    
        <description>The path to the Kerberos Keytab file containing the
        metastore thrift server's service principal.</description>  
</property>   

<property>    
        <name>hive.metastore.kerberos.principal</name>    
        <value>hive/_HOST@EXAMPLE.COM</value>    
        <description>The service principal for the metastore thrift server. 
    The special string _HOST will be replaced automatically with the correct hostname.</description>  
</property>

< property>
   <name>hive.server2.authentication</name>
    <value>KERBEROS</value>
    <description>Authentication type </description>
</property> 

<property>
   <name>hive.server2.authentication.kerberos.principal</name>
    <value>hive/_HOST@EXAMPLE.COM</value>
    <description>The service principal for the HiveServer2. 
     If _HOST is used as the hostname portion, it will be replaced with the 
     actual hostname of the running instance.</description>
</property>

<property>
    <name>hive.server2.authentication.kerberos.keytab</name>
    <value>/etc/security/keytabs/hive.service.keytab</value>
    <description>The keytab for the HiveServer2 service principal</description>
</property>

where HIVE_CONF_DIR is the directory to store the Hive configuration files. For example, /etc/hive/conf.


loading table of contents...