Configure HiveServer2 to use LDAP

hive.server2.authentication=LDAP
hive.server2.authentication.ldap.url=LDAP_URL
Where LDAP_URL is the access URL for your LDAP server. For example, 
ldap://ldap_host_name@xyz.com:389.Depending on whether or not you 
use Microsoft Active Directory as your directory service, 
add the following additional properties to the hive-site.xml file:
Other LDAP service types including OpenLDAP:
hive.server2.authentication.ldap.baseDN=LDAP_BaseDN
Where LDAP_BaseDN is the base LDAP distinguished name for your 
LDAP server. For example, ou=dev, dc=xyz, dc=com.
Active Directory (AD):
hive.server2.authentication.ldap.Domain=AD_Domain
Where AD_Domain is the domain name of the AD server. For example, 
corp.domain.com.
Test the LDAP authentication. For example, if you are using the 
Beeline client, type the following commands at the Beeline prompt:
beeline> !connect jdbc:hive2://node1:<port>/default:user=<LDAP_USERID>;password=<LDAP_PASSWORD>
The Beeline client prompts for the user ID and password again. 
Enter those values to run the command.
To configure HiveServer2 to use LDAP over SSL (LDAPS):
To enable Hive and the Beeline client to use LDAPS, perform the following 
actions.
Two types of certificates can be used for LDAP over SSL with HiveServer2:
1. CA Certificates, which are digital certificates that are signed by 
a Certificate Authority (CA).
2. Self-signed certificates.
Add the following properties to the hive-site.xml file to set the server 
authentication mode to LDAP:
hive.server2.authentication=LDAP
hive.server2.authentication.ldap.url=LDAP_URL
Where LDAP_URL is the access URL for your LDAP server. For example, 
ldap://ldap_host_name@xyz.com:389.
Depending on whether or not you use Microsoft Active Directory as 
your directory service, add the following additional properties to 
the hive-site.xml file:
Other LDAP service types including OpenLDAP:
hive.server2.authentication.ldap.baseDN=LDAP_BaseDN
Where LDAP_BaseDN is the base LDAP distinguished name for your LDAP server. 
For example, ou=dev, dc=xyz, dc=com.
Active Directory (AD):
hive.server2.authentication.ldap.Domain=AD_Domain
Where AD_Domain is the domain name of the AD server. For example, 
corp.domain.com.
Depending on which type of certificate you are using, perform one of 
the following actions:
CA certificate:
If you are using a certificate that is signed by a CA, the certificate 
is already included in the default Java trustStore located at 
${JAVA_HOME}/jre/lib/security/cacerts on all of your nodes. If the CA 
certificate is not present, you must import the certificate to your Java 
cacert trustStore using the following command:
# keytool -import -trustcacerts -alias {MyHiveLdaps} -storepass {password} -noprompt -file {myCert}.pem -keystore ${JAVA_HOME}/jre/lib/security/cacerts
If you want to import the CA certificate into another trustStore location, 
replace ${JAVA_HOME}/jre/lib/security/cacerts with the cacert location 
that you want to use.
Self-signed certificate:
If you are using a self-signed digital certificate, you must import it into 
your Java cacert trustStore. For example, if you want to import the 
certificate to a Java cacert location of /etc/pki/java/cacerts, use the 
following command to import your self-signed certificate:
# keytool -import -trustcacerts -alias {MyHiveLdaps} -storepass {password} -noprompt -file {myCert}.pem -keystore /etc/pki/java/cacerts
If your trustStore is not ${JAVA_HOME}/jre/lib/security/cacerts, you 
must set the HADOOP_OPTS environment variable to point to your CA 
certificate so that the certificate loads when the HDP platform loads.
There is no need to modify the hadoop-env template if you use the 
default Java trustStore of ${JAVA_HOME}/jre/lib/security/cacerts.
To set this in Ambari:
In the list of services on the left, click HDFS.
Select the Configs tab.
On the Configs tab page, select the Advanced tab.
Scroll down, and expand the Advanced hadoop-env section.
Add the following configuration information to the hadoop-env template 
text box:
export HADOOP_OPTS="-Djava_net_preferIPv4Stack=true
-Djavax.net.ssl.trustStore=/etc/pki/java/cacerts 
-Djavax.net.ssl.trustStorePassword=changeit ${HADOOP_OPTS}"
Click Save.
Restart the HDFS and Hive services.
To restart these services in Ambari:
Click the service name on the left margin of the page.
On the service page, click Service Actions.
Choose Restart All.
Test the LDAPS authentication. For example, if you are using the 
Beeline client, type the following commands at the Beeline prompt:
beeline> !connect jdbc:hive2://node1:10000/default
The Beeline client prompts for the user ID and password again. 
Enter those values to run the command.
Components such as Apache Knox and Apache Ranger do not use the 
hadoop-env.sh.template. The configuration files for these components 
must be set for LDAPS and manually restarted.
Ambari Hive View does not work with LDAP or LDAPS.
0 Comments

There are no comments yet

Leave a comment

Your email address will not be published. Required fields are marked *