Cloudera Community

Support Questions

Find answers, ask questions, and share your expertise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Advanced Search
Solved Go to solution

How to setup Hive Authentication in my cluster ? (Knox, LDAP, Ranger?..confused)

avatar
author-rank mph
Expert Contributor

Created ‎05-24-2016 11:34 AM

Hi All,

I have a 5-node HDP2.4 cluster running several services including Hive (HiveServer2). I want to now setup user authentication in Hive using LDAP.

There is a lot of confusing information/tutorials that mention Ranger/Knox that can be used as an LDAP server but are often discussed in the context of a sandbox (development) environment.

Could anyone offer some clear guidance/steps on how to setup Ranger/Knox so that I can create and manage user access (authentication/authorisation) to Hive in my cluster?

Thanks,

MPH

p.s - Ive looked at this tutorial but it seems to confuse matters (http://hortonworks.com/hadoop-tutorial/manage-security-policy-hive-hbase-knox-ranger/) 😕

5,283 Views
0 Kudos
1 ACCEPTED SOLUTION

avatar
author-rank amcbarnett
Guru

Created on ‎05-24-2016 01:50 PM - edited ‎08-18-2019 04:20 AM

Ranger and Knox are NOT LDAP server. Use AD, Open LDAP or Free IPA. Ranger is ONLY for authorization NOT authentication

Here are you authentication options for Hive 4492-screen-shot-2016-05-23-at-20913-pm.png

However if you decide to enable Kerberos, then Hive authentication option is no longer LDAP directly but with Kerberos (and LDAP indiectly)

The Githubs given above are with Kerberos against FreeIPA or OpenLDAP (and for one node)

View solution in original post

3,655 Views
8 REPLIES 8

avatar
author-rank mph
Expert Contributor

Created ‎05-24-2016 12:14 PM

..also my other question is do I need to setup a LDAP server in order to manage users/groups from a centralized service like Ranger? or can simply manage end-users and service users in Ranger alone.

3,655 Views
0 Kudos

avatar
author-rank bleonhardi
Master Guru

Created ‎05-24-2016 12:30 PM

Hello Mike,

I would not use Knox unless you have to. HTTP protocol makes a lot of problems with clients. I would go with Ldap/pam for authentication in Hive ( has nothing to do with either ranger or knox ) and binary access. Then configure Ranger for autorization. ( or use sqlstdauth. )

3,655 Views

avatar
author-rank sshimpi
Super Guru

Created ‎05-24-2016 12:35 PM

@mike harding

Please check this tutorials for ranger and knox -

https://github.com/seanorama/masterclass/tree/master/security-advanced

https://github.com/abajwa-hw/security-workshops

Hope that helps.

3,655 Views

avatar
author-rank amcbarnett
Guru

Created on ‎05-24-2016 01:50 PM - edited ‎08-18-2019 04:20 AM

Ranger and Knox are NOT LDAP server. Use AD, Open LDAP or Free IPA. Ranger is ONLY for authorization NOT authentication

Here are you authentication options for Hive 4492-screen-shot-2016-05-23-at-20913-pm.png

However if you decide to enable Kerberos, then Hive authentication option is no longer LDAP directly but with Kerberos (and LDAP indiectly)

The Githubs given above are with Kerberos against FreeIPA or OpenLDAP (and for one node)

3,656 Views

avatar
author-rank mph
Expert Contributor

Created ‎05-24-2016 04:10 PM

Thanks for the information - so it seems like the simplest approach is to install openLDAP on one of my nodes and configure hiveserver2 to authenticate login requests against it.

I'm looking for the most straight forward / quickest approach to secure Hive therefore leaving out Kerberos for the time being seems like the best plan?

3,655 Views
0 Kudos

avatar
author-rank bleonhardi
Master Guru

Created ‎05-24-2016 04:27 PM

yeah ldap or use PAM. You can still kerberize your cluster. But you wouldn't do the hive authentication through it.

https://community.hortonworks.com/articles/591/using-hive-with-pam-authentication.html

3,655 Views
0 Kudos

avatar
author-rank mph
Expert Contributor

Created ‎05-24-2016 04:12 PM

p.s - am I correct in assuming that once this is setup I can install Ranger and sync user and group accounts to it and leverage its management UI to add/remove users on the LDAP server?

3,655 Views
0 Kudos

avatar
author-rank bleonhardi
Master Guru

Created ‎05-24-2016 04:28 PM

yes you would need to configure user sync with ldap/ad in the ranger ui. Alternatively use UNIX user sync in Ranger to sync with the local operating system. ( Works as well )

3,655 Views
0 Kudos
Announcements
Community Announcements
Keep up to date on the Cloudera and Hortonworks community me...
What's New @ Cloudera
[RELEASED] Cloudera Streaming Analytics - Kubernetes Operato...
What's New @ Cloudera
[RELEASED] Cloudera Streams Messaging - Kubernetes Operator ...
Community Announcements
February 2025 Community Highlights
What's New @ Cloudera
3 Benefits of External IDE Connectivity, Now Available in Cl...
View More Announcements