question Re: How to Setup HiveServer2 Authentication with LDAP SSL (No Knox) in Archives of Support Questions (Read Only)

How to Setup HiveServer2 Authentication with LDAP SSL (No Knox)

amcbarnett — Thu, 15 Oct 2015 23:18:18 GMT

Re: How to Setup HiveServer2 Authentication with LDAP SSL (No Knox)

deepesh1 — Thu, 15 Oct 2015 23:25:46 GMT

Personally I haven't setup LDAP SSL but here are the properties you can set in hive-site.xml.

hive.server2.authentication = LDAP
hive.server2.authentication.ldap.url = <LDAP URL>
hive.server2.authentication.ldap.baseDN = <LDAP Base DN>
hive.server2.use.SSL = true
hive.server2.keystore.path = <KEYSTORE FILE PATH>
hive.server2.keystore.password = <KEYSTORE PASSWORD>

Re: How to Setup HiveServer2 Authentication with LDAP SSL (No Knox)

amiller — Thu, 15 Oct 2015 23:29:55 GMT

Both LDAP and SSL are covered in the Apache Hive docs:

Authentication/Security Configuration

Setting up SSL Encryption

Re: How to Setup HiveServer2 Authentication with LDAP SSL (No Knox)

amcbarnett — Fri, 16 Oct 2015 00:02:58 GMT

Isn't the ssl encryption different from LDAPs for authentication? The key path is different

Re: How to Setup HiveServer2 Authentication with LDAP SSL (No Knox)

amiller — Fri, 16 Oct 2015 00:52:42 GMT

You're right. For LDAPS you just need to make sure the LDAP server's SSL certificate is trusted by the JVM that runs HS2. If using a self-signed (or otherwise untrusted) cert, import it into the corresponding cacerts, usually under $JAVA_HOME/jre/lib/security/cacerts

Re: How to Setup HiveServer2 Authentication with LDAP SSL (No Knox)

amcbarnett — Wed, 21 Oct 2015 23:00:26 GMT

These keystore.path and the keystore.password is ONLY for SSL encryption. It has nothing to do with LDAP SSL

Re: How to Setup HiveServer2 Authentication with LDAP SSL (No Knox)

amcbarnett — Mon, 19 Aug 2019 12:57:57 GMT

Here is how I got it to work.

In order for tools such as Hive, Beeline to use LDAPs, you need to make a global change in HADOOP_OPTS for CA Certs, so that it is loaded with Hadoop in general, assuming you imported the cert (self-signed) into a cacert located in /etc/pki/java/cacerts

In HDFS-> Configs -> Hadoop Env Template add the following:

export HADOOP_OPTS="-Djava_net_preferIPv4Stack=true =Djavax.net.ssl.trustStore=/etc/pki/java/cacerts -Djavax.net.ssl.trustStorePassword=changeit ${HADOOP_OPTS}"

Note: Components like Knox and Ranger does not use the hadoop_env and needs its own config to be set for LDAP SSL and a manually restart.

Why a manual restart? Because it seems when you start with Ambari, there is no way to manual set user options so that Ambari can pick up these settings and use in java process of Ranger and Knox when it starts. Only when Ranger and Knox is started manually, when restarting is the certs picked up.

Note also Hive View does not work with LDAP or LDAP ssl.

Re: How to Setup HiveServer2 Authentication with LDAP SSL (No Knox)

carter — Tue, 27 Oct 2015 23:52:47 GMT

@amcbarnett@hortonworks.com Can you confirm you really needed the -D settings after you imported your cert into the truststore? These arguments you added are the defaults.

Re: How to Setup HiveServer2 Authentication with LDAP SSL (No Knox)

amcbarnett — Wed, 28 Oct 2015 00:41:11 GMT

@carter@hortonworks.com Yes, the only way it worked is when I used the -D settings.

However I have since been told that in order for Hadoop to use the cert, we should import into $JAVA_HOME/jre/lib/security/cacerts instead of /etc/pki/java/cacerts which we thought was the default.

So apparently if you are using any trustStore besides $JAVA_HOME/jre/lib/security/cacerts you would need the -D settings.

I haven't had a chance to test this as the folks I am working with got it to work with the -D settings, using /etc/java/cacerts and do not want to make any further changes.