Support Questions

Find answers, ask questions, and share your expertise

How to setup Hive Authentication in my cluster ? (Knox, LDAP, Ranger?..confused)

avatar
Expert Contributor

Hi All,

I have a 5-node HDP2.4 cluster running several services including Hive (HiveServer2). I want to now setup user authentication in Hive using LDAP.

There is a lot of confusing information/tutorials that mention Ranger/Knox that can be used as an LDAP server but are often discussed in the context of a sandbox (development) environment.

Could anyone offer some clear guidance/steps on how to setup Ranger/Knox so that I can create and manage user access (authentication/authorisation) to Hive in my cluster?

Thanks,

MPH

p.s - Ive looked at this tutorial but it seems to confuse matters (http://hortonworks.com/hadoop-tutorial/manage-security-policy-hive-hbase-knox-ranger/) 😕

1 ACCEPTED SOLUTION

avatar

Ranger and Knox are NOT LDAP server. Use AD, Open LDAP or Free IPA. Ranger is ONLY for authorization NOT authentication

Here are you authentication options for Hive 4492-screen-shot-2016-05-23-at-20913-pm.png

However if you decide to enable Kerberos, then Hive authentication option is no longer LDAP directly but with Kerberos (and LDAP indiectly)

The Githubs given above are with Kerberos against FreeIPA or OpenLDAP (and for one node)

View solution in original post

8 REPLIES 8

avatar
Expert Contributor

..also my other question is do I need to setup a LDAP server in order to manage users/groups from a centralized service like Ranger? or can simply manage end-users and service users in Ranger alone.

avatar
Master Guru

Hello Mike,

I would not use Knox unless you have to. HTTP protocol makes a lot of problems with clients. I would go with Ldap/pam for authentication in Hive ( has nothing to do with either ranger or knox ) and binary access. Then configure Ranger for autorization. ( or use sqlstdauth. )

avatar
Super Guru

avatar

Ranger and Knox are NOT LDAP server. Use AD, Open LDAP or Free IPA. Ranger is ONLY for authorization NOT authentication

Here are you authentication options for Hive 4492-screen-shot-2016-05-23-at-20913-pm.png

However if you decide to enable Kerberos, then Hive authentication option is no longer LDAP directly but with Kerberos (and LDAP indiectly)

The Githubs given above are with Kerberos against FreeIPA or OpenLDAP (and for one node)

avatar
Expert Contributor

Thanks for the information - so it seems like the simplest approach is to install openLDAP on one of my nodes and configure hiveserver2 to authenticate login requests against it.

I'm looking for the most straight forward / quickest approach to secure Hive therefore leaving out Kerberos for the time being seems like the best plan?

avatar
Master Guru

yeah ldap or use PAM. You can still kerberize your cluster. But you wouldn't do the hive authentication through it.

https://community.hortonworks.com/articles/591/using-hive-with-pam-authentication.html

avatar
Expert Contributor

p.s - am I correct in assuming that once this is setup I can install Ranger and sync user and group accounts to it and leverage its management UI to add/remove users on the LDAP server?

avatar
Master Guru

yes you would need to configure user sync with ldap/ad in the ranger ui. Alternatively use UNIX user sync in Ranger to sync with the local operating system. ( Works as well )