Support Questions

mph · ‎05-24-2016

Hi All,

I have a 5-node HDP2.4 cluster running several services including Hive (HiveServer2). I want to now setup user authentication in Hive using LDAP.

There is a lot of confusing information/tutorials that mention Ranger/Knox that can be used as an LDAP server but are often discussed in the context of a sandbox (development) environment.

Could anyone offer some clear guidance/steps on how to setup Ranger/Knox so that I can create and manage user access (authentication/authorisation) to Hive in my cluster?

Thanks,

MPH

p.s - Ive looked at this tutorial but it seems to confuse matters (http://hortonworks.com/hadoop-tutorial/manage-security-policy-hive-hbase-knox-ranger/) 😕

amcbarnett · ‎05-24-2016

Ranger and Knox are NOT LDAP server. Use AD, Open LDAP or Free IPA. Ranger is ONLY for authorization NOT authentication

Here are you authentication options for Hive

However if you decide to enable Kerberos, then Hive authentication option is no longer LDAP directly but with Kerberos (and LDAP indiectly)

The Githubs given above are with Kerberos against FreeIPA or OpenLDAP (and for one node)

View solution in original post

mph · ‎05-24-2016

..also my other question is do I need to setup a LDAP server in order to manage users/groups from a centralized service like Ranger? or can simply manage end-users and service users in Ranger alone.

bleonhardi · ‎05-24-2016

Hello Mike,

I would not use Knox unless you have to. HTTP protocol makes a lot of problems with clients. I would go with Ldap/pam for authentication in Hive ( has nothing to do with either ranger or knox ) and binary access. Then configure Ranger for autorization. ( or use sqlstdauth. )

sshimpi · ‎05-24-2016

@mike harding

Please check this tutorials for ranger and knox -

https://github.com/seanorama/masterclass/tree/master/security-advanced

https://github.com/abajwa-hw/security-workshops

Hope that helps.

amcbarnett · ‎05-24-2016

Ranger and Knox are NOT LDAP server. Use AD, Open LDAP or Free IPA. Ranger is ONLY for authorization NOT authentication

Here are you authentication options for Hive

However if you decide to enable Kerberos, then Hive authentication option is no longer LDAP directly but with Kerberos (and LDAP indiectly)

The Githubs given above are with Kerberos against FreeIPA or OpenLDAP (and for one node)

mph · ‎05-24-2016

Thanks for the information - so it seems like the simplest approach is to install openLDAP on one of my nodes and configure hiveserver2 to authenticate login requests against it.

I'm looking for the most straight forward / quickest approach to secure Hive therefore leaving out Kerberos for the time being seems like the best plan?

bleonhardi · ‎05-24-2016

yeah ldap or use PAM. You can still kerberize your cluster. But you wouldn't do the hive authentication through it.

https://community.hortonworks.com/articles/591/using-hive-with-pam-authentication.html

mph · ‎05-24-2016

p.s - am I correct in assuming that once this is setup I can install Ranger and sync user and group accounts to it and leverage its management UI to add/remove users on the LDAP server?

bleonhardi · ‎05-24-2016

yes you would need to configure user sync with ldap/ad in the ranger ui. Alternatively use UNIX user sync in Ranger to sync with the local operating system. ( Works as well )

Cloudera Community

Support Questions

How to setup Hive Authentication in my cluster ? (Knox, LDAP, Ranger?..confused)

How to setup Knox LDAP password alias in CDP

Setup DbVisualizer access HDP Hive via Knox

Knox with kerberos authentication to proxy to hive

Zeppelin LDAP Authentication with OpenLDAP

NiFi Authentication with LDAP

How to Setup HiveServer2 Authentication with LDAP ...

How to setup knox for Hive2(LLAP) service

HDF-2.0 LDAP User Authentication with Ambari

CDP 7.1.7 Kafka LDAP setup, add multiple LDAP doma...

Setup knox over highly available HiveServer2 insta...