- Subscribe to RSS Feed
- Mark Question as New
- Mark Question as Read
- Float this Question for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
How to setup Hive Authentication in my cluster ? (Knox, LDAP, Ranger?..confused)
- Labels:
-
Apache Hive
-
Apache Knox
-
Apache Ranger
Created ‎05-24-2016 11:34 AM
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi All,
I have a 5-node HDP2.4 cluster running several services including Hive (HiveServer2). I want to now setup user authentication in Hive using LDAP.
There is a lot of confusing information/tutorials that mention Ranger/Knox that can be used as an LDAP server but are often discussed in the context of a sandbox (development) environment.
Could anyone offer some clear guidance/steps on how to setup Ranger/Knox so that I can create and manage user access (authentication/authorisation) to Hive in my cluster?
Thanks,
MPH
p.s - Ive looked at this tutorial but it seems to confuse matters (http://hortonworks.com/hadoop-tutorial/manage-security-policy-hive-hbase-knox-ranger/) 😕
Created on ‎05-24-2016 01:50 PM - edited ‎08-18-2019 04:20 AM
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Ranger and Knox are NOT LDAP server. Use AD, Open LDAP or Free IPA. Ranger is ONLY for authorization NOT authentication
Here are you authentication options for Hive
However if you decide to enable Kerberos, then Hive authentication option is no longer LDAP directly but with Kerberos (and LDAP indiectly)
The Githubs given above are with Kerberos against FreeIPA or OpenLDAP (and for one node)
Created ‎05-24-2016 12:14 PM
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
..also my other question is do I need to setup a LDAP server in order to manage users/groups from a centralized service like Ranger? or can simply manage end-users and service users in Ranger alone.
Created ‎05-24-2016 12:30 PM
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello Mike,
I would not use Knox unless you have to. HTTP protocol makes a lot of problems with clients. I would go with Ldap/pam for authentication in Hive ( has nothing to do with either ranger or knox ) and binary access. Then configure Ranger for autorization. ( or use sqlstdauth. )
Created ‎05-24-2016 12:35 PM
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Please check this tutorials for ranger and knox -
https://github.com/seanorama/masterclass/tree/master/security-advanced
https://github.com/abajwa-hw/security-workshops
Hope that helps.
Created on ‎05-24-2016 01:50 PM - edited ‎08-18-2019 04:20 AM
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Ranger and Knox are NOT LDAP server. Use AD, Open LDAP or Free IPA. Ranger is ONLY for authorization NOT authentication
Here are you authentication options for Hive
However if you decide to enable Kerberos, then Hive authentication option is no longer LDAP directly but with Kerberos (and LDAP indiectly)
The Githubs given above are with Kerberos against FreeIPA or OpenLDAP (and for one node)
Created ‎05-24-2016 04:10 PM
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks for the information - so it seems like the simplest approach is to install openLDAP on one of my nodes and configure hiveserver2 to authenticate login requests against it.
I'm looking for the most straight forward / quickest approach to secure Hive therefore leaving out Kerberos for the time being seems like the best plan?
Created ‎05-24-2016 04:27 PM
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
yeah ldap or use PAM. You can still kerberize your cluster. But you wouldn't do the hive authentication through it.
https://community.hortonworks.com/articles/591/using-hive-with-pam-authentication.html
Created ‎05-24-2016 04:12 PM
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
p.s - am I correct in assuming that once this is setup I can install Ranger and sync user and group accounts to it and leverage its management UI to add/remove users on the LDAP server?
Created ‎05-24-2016 04:28 PM
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
yes you would need to configure user sync with ldap/ad in the ranger ui. Alternatively use UNIX user sync in Ranger to sync with the local operating system. ( Works as well )
