Securing Apache Hive
Also available as:
PDF

Secure HiveServer using LDAP

You can secure the remote client connection to Hive by configuring HiveServer to use authentication with LDAP.

  1. Add the following properties to the hive-site.xml file to set the server authentication mode to LDAP.
    <property>
                <name>hive.server2.authentication</name>
                <value>LDAP</value>
                </property>
                
                <property>
                <name>hive.server2.authentication.ldap.url</name>
                <value>LDAP_URL</value>
                </property>
    LDAP_URL is the access URL for your LDAP server. For example, ldap://ldap_host_name@xyz.com:389
  2. Add additional properties to the hive-site.xml file, depending on your LDAP service type.
    • Active Directory (AD)
    • Other LDAP service types, such as OpenLDAP
    AD:
    <property>
     <name>hive.server2.authentication.ldap.Domain</name>
        <value>AD_Domain</value>
    </property>

    Where AD_Domain is the domain name of the AD server. For example, corp.domain.com.

    Other LDAP service types:
    <property>
    <name>hive.server2.authentication.ldap.baseDN</name>
       <value>LDAP_BaseDN</value>
    </property>
    Where LDAP_BaseDN is the base LDAP distinguished name for your LDAP server. For example, ou=dev, dc=xyz, dc=com.
  3. Test the LDAP authentication by using the Beeline client.
    • If the HiveServer transport mode is binary (hive.server2.transport.mode=binary), use the following syntax:
      beeline>!connect
      jdbc:hive2://node1:<port>/default
    • If the HiveServer2 transport mode is HTTP (hive.server2.transport.mode=http) and the Thrift path is cliservice (hive.server2.thrift.http.path=cliservice), use the following syntax:
      beeline>!connect
      jdbc:hive2://node1:<port>/default;transportMode=http;httpPath=cliservice