Secure HiveServer using LDAP over SSL
You can secure the remote client connection to Hive by configuring HiveServer to use authentication with LDAP over SSL (LDAPS).
Two types of certificates can be used for LDAP over SSL with HiveServer2:
- 
            CA Certificates, which are digital certificates that are signed by a Certificate Authority (CA) 
- 
            Self-signed certificates 
- 
            Add the LDAP authentication property and URL property to the hive-site.xmlfile to set the server authentication mode to LDAP:<property> <name>hive.server2.authentication</name> <value>LDAP</value> </property> <property> <name>hive.server2.authentication.ldap.url</name> <value>LDAP_URL</value> </property>The LDAP_URLis the access URL for your LDAP server. For example,ldap://ldap_host_name@xyz.com:389.
- 
            Add additional properties to the hive-site.xmlfile:- If you use Active Directory (AD):
                     <property> <name>hive.server2.authentication.ldap.Domain</name> <value>AD_Domain</value> </property>Where AD_Domainis the domain name of the AD server. For example,corp.domain.com.
- If you use other LDAP service types including
                     OpenLDAP:<property> <name>hive.server2.authentication.ldap.baseDN</name> <value>LDAP_BaseDN</value> </property>Where LDAP_BaseDNis the base LDAP distinguished name for your LDAP server. For example,ou=dev, dc=xyz, dc=com.
 
- If you use Active Directory (AD):
                     
- 
            Depending on which type of certificate you are using, perform one of the following
               actions:
            - CA certificate: If you are using a certificate that is signed by a CA, the
                  certificate is already included in the default Java trustStore located at
                     ${JAVA_HOME}/jre/lib/security/cacertson all of your nodes. If the CA certificate is not present, you must import the certificate to your JavacacerttrustStore using the following command:
 If you want to import the CA certificate into another trustStore location, replacekeytool -import -trustcacerts -alias <MyHiveLdaps> -storepass <password> -noprompt -file <myCert>.pem -keystore ${JAVA_HOME}/jre/lib/security/cacerts${JAVA_HOME}/jre/lib/security/cacertswith thecacertlocation that you want to use.
- Self-signed certificate: If you are using a self-signed digital certificate,
                  you must import it into your Java cacerttrustStore. For example, if you want to import the certificate to a Javacacertlocation of/etc/pki/java/cacerts, use the following command to import your self-signed certificate:keytool -import -trustcacerts -alias <MyHiveLdaps> -storepass <password> -noprompt -file <myCert>.pem -keystore /etc/pki/java/cacerts
 
- CA certificate: If you are using a certificate that is signed by a CA, the
                  certificate is already included in the default Java trustStore located at
                     
- 
             If your trustStore is not ${JAVA_HOME}/jre/lib/security/cacerts, you must set theHADOOP_OPTSenvironment variable to point to your CA certificate so that the certificate loads when the HDP platform loads. There is no need to modify thehadoop-envtemplate if you use the default Java trustStore of${JAVA_HOME}/jre/lib/security/cacerts.- In Ambari, select Services > HDFS > Configs > Advanced
- Scroll down, and expand the Advanced hadoop-env section.
- 
                  Add the configuration information to the hadoop-env template text box.export HADOOP_OPTS="-Djava_net_preferIPv4Stack=true -Djavax.net.ssl.trustStore=/etc/pki/java/cacerts -Djavax.net.ssl.trustStorePassword=changeit ${HADOOP_OPTS}"
- Click Save.
 
- Restart the HDFS and Hive services.
- 
            Test the LDAPS authentication.beeline>!connect jdbc:hive2://node1:10000/defaultComponents such as Apache Knox and Apache Ranger do not use the hadoop-env.sh template. The configuration files for these components must be set for LDAPS and manually restarted.The Beeline client prompts for the user ID and password.

