Cloudera Community

Support Questions

Find answers, ask questions, and share your expertise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Advanced Search
Solved Go to solution

How to Setup HiveServer2 Authentication with LDAP SSL (No Knox)

Labels:
avatar
author-rank amcbarnett
Guru

Created ‎10-15-2015 04:18 PM

 
4,275 Views
0 Kudos
1 ACCEPTED SOLUTION

avatar
author-rank amcbarnett
Guru

Created on ‎10-21-2015 04:10 PM - edited ‎08-19-2019 05:57 AM

Here is how I got it to work.

In order for tools such as Hive, Beeline to use LDAPs, you need to make a global change in HADOOP_OPTS for CA Certs, so that it is loaded with Hadoop in general, assuming you imported the cert (self-signed) into a cacert located in /etc/pki/java/cacerts

In HDFS-> Configs -> Hadoop Env Template add the following:

export HADOOP_OPTS="-Djava_net_preferIPv4Stack=true =Djavax.net.ssl.trustStore=/etc/pki/java/cacerts -Djavax.net.ssl.trustStorePassword=changeit ${HADOOP_OPTS}"

276-screen-shot-2015-10-20-at-122115-pm.png

Note: Components like Knox and Ranger does not use the hadoop_env and needs its own config to be set for LDAP SSL and a manually restart.

Why a manual restart? Because it seems when you start with Ambari, there is no way to manual set user options so that Ambari can pick up these settings and use in java process of Ranger and Knox when it starts. Only when Ranger and Knox is started manually, when restarting is the certs picked up.

Note also Hive View does not work with LDAP or LDAP ssl.

View solution in original post

3,440 Views
8 REPLIES 8

avatar
author-rank deepesh1
Guru

Created ‎10-15-2015 04:25 PM

Personally I haven't setup LDAP SSL but here are the properties you can set in hive-site.xml.

hive.server2.authentication = LDAP
hive.server2.authentication.ldap.url = <LDAP URL>
hive.server2.authentication.ldap.baseDN = <LDAP Base DN>
hive.server2.use.SSL = true
hive.server2.keystore.path = <KEYSTORE FILE PATH>
hive.server2.keystore.password = <KEYSTORE PASSWORD>
3,440 Views

avatar
author-rank amcbarnett
Guru

Created ‎10-21-2015 04:00 PM

These keystore.path and the keystore.password is ONLY for SSL encryption. It has nothing to do with LDAP SSL

3,440 Views
0 Kudos

avatar
author-rank amiller
Guru

Created ‎10-15-2015 04:29 PM

Both LDAP and SSL are covered in the Apache Hive docs:

Authentication/Security Configuration

Setting up SSL Encryption

3,440 Views
0 Kudos

avatar
author-rank amcbarnett
Guru

Created ‎10-15-2015 05:02 PM

Isn't the ssl encryption different from LDAPs for authentication? The key path is different

3,440 Views
0 Kudos

avatar
author-rank amiller
Guru

Created ‎10-15-2015 05:52 PM

You're right. For LDAPS you just need to make sure the LDAP server's SSL certificate is trusted by the JVM that runs HS2. If using a self-signed (or otherwise untrusted) cert, import it into the corresponding cacerts, usually under $JAVA_HOME/jre/lib/security/cacerts

3,440 Views
0 Kudos

avatar
author-rank amcbarnett
Guru

Created on ‎10-21-2015 04:10 PM - edited ‎08-19-2019 05:57 AM

Here is how I got it to work.

In order for tools such as Hive, Beeline to use LDAPs, you need to make a global change in HADOOP_OPTS for CA Certs, so that it is loaded with Hadoop in general, assuming you imported the cert (self-signed) into a cacert located in /etc/pki/java/cacerts

In HDFS-> Configs -> Hadoop Env Template add the following:

export HADOOP_OPTS="-Djava_net_preferIPv4Stack=true =Djavax.net.ssl.trustStore=/etc/pki/java/cacerts -Djavax.net.ssl.trustStorePassword=changeit ${HADOOP_OPTS}"

276-screen-shot-2015-10-20-at-122115-pm.png

Note: Components like Knox and Ranger does not use the hadoop_env and needs its own config to be set for LDAP SSL and a manually restart.

Why a manual restart? Because it seems when you start with Ambari, there is no way to manual set user options so that Ambari can pick up these settings and use in java process of Ranger and Knox when it starts. Only when Ranger and Knox is started manually, when restarting is the certs picked up.

Note also Hive View does not work with LDAP or LDAP ssl.

3,441 Views

avatar
author-rank carter
Contributor

Created ‎10-27-2015 04:52 PM

@amcbarnett@hortonworks.com Can you confirm you really needed the -D settings after you imported your cert into the truststore? These arguments you added are the defaults.

3,440 Views
0 Kudos

avatar
author-rank amcbarnett
Guru

Created ‎10-27-2015 05:41 PM

@carter@hortonworks.com Yes, the only way it worked is when I used the -D settings.

However I have since been told that in order for Hadoop to use the cert, we should import into $JAVA_HOME/jre/lib/security/cacerts instead of /etc/pki/java/cacerts which we thought was the default.

So apparently if you are using any trustStore besides $JAVA_HOME/jre/lib/security/cacerts you would need the -D settings.

I haven't had a chance to test this as the folks I am working with got it to work with the -D settings, using /etc/java/cacerts and do not want to make any further changes.

3,440 Views
0 Kudos
Announcements
What's New @ Cloudera
Cloudera Data Engineering 1.23: Access Spark from Your Favor...
What's New @ Cloudera
HBase REST server scaling support is Generally Available
What's New @ Cloudera
New CLI option in the update-database command
What's New @ Cloudera
New Action menu item in the Cloudera Operational Database UI
What's New @ Cloudera
Get the list of supported instance types in the Cloudera Ope...
View More Announcements