hive.server2.authentication=LDAP
hive.server2.authentication.ldap.url=LDAP_URL
Where LDAP_URL is the access URL for your LDAP server. For example,
ldap://ldap_host_name@xyz.com:389.Depending on whether or not you
use Microsoft Active Directory as your directory service,
add the following additional properties to the hive-site.xml file:
Other LDAP service types including OpenLDAP:
hive.server2.authentication.ldap.baseDN=LDAP_BaseDN
Where LDAP_BaseDN is the base LDAP distinguished name for your
LDAP server. For example, ou=dev, dc=xyz, dc=com.
Active Directory (AD):
hive.server2.authentication.ldap.Domain=AD_Domain
Where AD_Domain is the domain name of the AD server. For example,
corp.domain.com.
Test the LDAP authentication. For example, if you are using the
Beeline client, type the following commands at the Beeline prompt:
beeline> !connect jdbc:hive2://node1:<port>/default:user=<LDAP_USERID>;password=<LDAP_PASSWORD>
The Beeline client prompts for the user ID and password again.
Enter those values to run the command.
To configure HiveServer2 to use LDAP over SSL (LDAPS):
To enable Hive and the Beeline client to use LDAPS, perform the following
actions.
Two types of certificates can be used for LDAP over SSL with HiveServer2:
1. CA Certificates, which are digital certificates that are signed by
a Certificate Authority (CA).
2. Self-signed certificates.
Add the following properties to the hive-site.xml file to set the server
authentication mode to LDAP:
hive.server2.authentication=LDAP
hive.server2.authentication.ldap.url=LDAP_URL
Where LDAP_URL is the access URL for your LDAP server. For example,
ldap://ldap_host_name@xyz.com:389.
Depending on whether or not you use Microsoft Active Directory as
your directory service, add the following additional properties to
the hive-site.xml file:
Other LDAP service types including OpenLDAP:
hive.server2.authentication.ldap.baseDN=LDAP_BaseDN
Where LDAP_BaseDN is the base LDAP distinguished name for your LDAP server.
For example, ou=dev, dc=xyz, dc=com.
Active Directory (AD):
hive.server2.authentication.ldap.Domain=AD_Domain
Where AD_Domain is the domain name of the AD server. For example,
corp.domain.com.
Depending on which type of certificate you are using, perform one of
the following actions:
CA certificate:
If you are using a certificate that is signed by a CA, the certificate
is already included in the default Java trustStore located at
${JAVA_HOME}/jre/lib/security/cacerts on all of your nodes. If the CA
certificate is not present, you must import the certificate to your Java
cacert trustStore using the following command:
# keytool -import -trustcacerts -alias {MyHiveLdaps} -storepass {password} -noprompt -file {myCert}.pem -keystore ${JAVA_HOME}/jre/lib/security/cacerts
If you want to import the CA certificate into another trustStore location,
replace ${JAVA_HOME}/jre/lib/security/cacerts with the cacert location
that you want to use.
Self-signed certificate:
If you are using a self-signed digital certificate, you must import it into
your Java cacert trustStore. For example, if you want to import the
certificate to a Java cacert location of /etc/pki/java/cacerts, use the
following command to import your self-signed certificate:
# keytool -import -trustcacerts -alias {MyHiveLdaps} -storepass {password} -noprompt -file {myCert}.pem -keystore /etc/pki/java/cacerts
If your trustStore is not ${JAVA_HOME}/jre/lib/security/cacerts, you
must set the HADOOP_OPTS environment variable to point to your CA
certificate so that the certificate loads when the HDP platform loads.
There is no need to modify the hadoop-env template if you use the
default Java trustStore of ${JAVA_HOME}/jre/lib/security/cacerts.
To set this in Ambari:
In the list of services on the left, click HDFS.
Select the Configs tab.
On the Configs tab page, select the Advanced tab.
Scroll down, and expand the Advanced hadoop-env section.
Add the following configuration information to the hadoop-env template
text box:
export HADOOP_OPTS="-Djava_net_preferIPv4Stack=true
-Djavax.net.ssl.trustStore=/etc/pki/java/cacerts
-Djavax.net.ssl.trustStorePassword=changeit ${HADOOP_OPTS}"
Click Save.
Restart the HDFS and Hive services.
To restart these services in Ambari:
Click the service name on the left margin of the page.
On the service page, click Service Actions.
Choose Restart All.
Test the LDAPS authentication. For example, if you are using the
Beeline client, type the following commands at the Beeline prompt:
beeline> !connect jdbc:hive2://node1:10000/default
The Beeline client prompts for the user ID and password again.
Enter those values to run the command.
Components such as Apache Knox and Apache Ranger do not use the
hadoop-env.sh.template. The configuration files for these components
must be set for LDAPS and manually restarted.
Ambari Hive View does not work with LDAP or LDAPS.
0 Comments