Configuring HiveServer2 for LDAP and for LDAP over SSL
HiveServer2 supports authentication with LDAP and LDAP over SSL (LDAPS):
To configure HiveServer2 to use LDAP:
- Add the following properties to the - hive-site.xmlfile to set the server authentication mode to LDAP:- <property> <name>hive.server2.authentication</name> <value>LDAP</value> </property> <property> <name>hive.server2.authentication.ldap.url</name> <value>LDAP_URL</value> </property>- Where - LDAP_URLis the access URL for your LDAP server. For example,- ldap://ldap_host_name@xyz.com:389.
- Depending on whether or not you use Microsoft Active Directory as your directory service, add the following additional properties to the - hive-site.xmlfile:- Other LDAP service types including OpenLDAP: - <property> <name>hive.server2.authentication.ldap.baseDN</name> <value>LDAP_BaseDN</value> </property>- Where - LDAP_BaseDNis the base LDAP distinguished name for your LDAP server. For example,- ou=dev, dc=xyz, dc=com.
- Active Directory (AD): - <property> <name>hive.server2.authentication.ldap.Domain</name> <value>AD_Domain</value> </property>- Where - AD_Domainis the domain name of the AD server. For example,- corp.domain.com.
 
- Test the LDAP authentication. For example, if you are using the Beeline client, type the following commands at the Beeline prompt: - beeline>!connect jdbc:hive2://node1:<port>/default:user=<LDAP_USERID>;password=<LDAP_PASSWORD> - The Beeline client prompts for the user ID and password again. Enter those values to run the command. 
To configure HiveServer2 to use LDAP over SSL (LDAPS):
To enable Hive and the Beeline client to use LDAPS, perform the following actions.
| ![[Note]](../common/images/admon/note.png) | Note | 
|---|---|
| Two types of certificates can be used for LDAP over SSL with HiveServer2: 
 | 
- Configure your server for LDAP as described in Steps 1 and 2 in the previous section, "To configure HiveServer2 to use LDAP." 
- Depending on which type of certificate you are using, perform one of the following actions: - CA certificate: - If you are using a certificate that is signed by a CA, the certificate is already included in the default Java trustStore located at - ${JAVA_HOME}/jre/lib/security/cacertson all of your nodes. If the CA certificate is not present, you must import the certificate to your Java- cacerttrustStore using the following command:- keytool -import -trustcacerts -alias <MyHiveLdaps> -storepass <password> -noprompt -file <myCert>.pem -keystore ${JAVA_HOME}/jre/lib/security/cacerts - If you want to import the CA certificate into another trustStore location, replace - ${JAVA_HOME}/jre/lib/security/cacertswith the- cacertlocation that you want to use.
- Self-signed certificate: - If you are using a self-signed digital certificate, you must import it into your Java - cacerttrustStore. For example, if you want to import the certificate to a Java- cacertlocation of- /etc/pki/java/cacerts, use the following command to import your self-signed certificate:- keytool -import -trustcacerts -alias <MyHiveLdaps> -storepass <password> -noprompt -file <myCert>.pem -keystore /etc/pki/java/cacerts 
 
- If your trustStore is not - ${JAVA_HOME}/jre/lib/security/cacerts, you must set the- HADOOP_OPTSenvironment variable to point to your CA certificate so that the certificate loads when the HDP platform loads.![[Note]](../common/images/admon/note.png) - Note - There is no need to modify the - hadoop-envtemplate if you use the default Java trustStore of- ${JAVA_HOME}/jre/lib/security/cacerts.- To set this in Ambari: - In the list of services on the left, click HDFS. 
- Select the Configs tab. 
- On the Configs tab page, select the Advanced tab. 
- Scroll down, and expand the Advanced hadoop-env section. 
- Add the following configuration information to the hadoop-env template text box: - export HADOOP_OPTS="-Djava_net_preferIPv4Stack=true =Djavax.net.ssl.trustStore=/etc/pki/java/cacerts -Djavax.net.ssl.trustStorePassword=changeit ${HADOOP_OPTS}"
- Click Save. 
 
- Restart the HDFS and Hive services. - To restart these services in Ambari: - Click the service name on the left margin of the page. 
- On the service page, click Service Actions. 
- Choose Restart All. 
 - For more information about restarting components in Ambari, see "Managing Services" in the Ambari User's Guide. 
- Test the LDAPS authentication. For example, if you are using the Beeline client, type the following commands at the Beeline prompt: - beeline>!connect jdbc:hive2://node1:10000/default - The Beeline client prompts for the user ID and password again. Enter those values to run the command. 
| ![[Note]](../common/images/admon/note.png) | Note | 
|---|---|
| 
 | 

