Cloudera Community

Support Questions

Find answers, ask questions, and share your expertise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Advanced Search
Solved Go to solution

How to setup Hive Authentication in my cluster ? (Knox, LDAP, Ranger?..confused)

avatar
author-rank mph
Expert Contributor

Created ‎05-24-2016 11:34 AM

Hi All,

I have a 5-node HDP2.4 cluster running several services including Hive (HiveServer2). I want to now setup user authentication in Hive using LDAP.

There is a lot of confusing information/tutorials that mention Ranger/Knox that can be used as an LDAP server but are often discussed in the context of a sandbox (development) environment.

Could anyone offer some clear guidance/steps on how to setup Ranger/Knox so that I can create and manage user access (authentication/authorisation) to Hive in my cluster?

Thanks,

MPH

p.s - Ive looked at this tutorial but it seems to confuse matters (http://hortonworks.com/hadoop-tutorial/manage-security-policy-hive-hbase-knox-ranger/) 😕

4,887 Views
0 Kudos
1 ACCEPTED SOLUTION

avatar
author-rank amcbarnett
Guru

Created on ‎05-24-2016 01:50 PM - edited ‎08-18-2019 04:20 AM

Ranger and Knox are NOT LDAP server. Use AD, Open LDAP or Free IPA. Ranger is ONLY for authorization NOT authentication

Here are you authentication options for Hive 4492-screen-shot-2016-05-23-at-20913-pm.png

However if you decide to enable Kerberos, then Hive authentication option is no longer LDAP directly but with Kerberos (and LDAP indiectly)

The Githubs given above are with Kerberos against FreeIPA or OpenLDAP (and for one node)

View solution in original post

3,259 Views
8 REPLIES 8

avatar
author-rank mph
Expert Contributor

Created ‎05-24-2016 12:14 PM

..also my other question is do I need to setup a LDAP server in order to manage users/groups from a centralized service like Ranger? or can simply manage end-users and service users in Ranger alone.

3,259 Views
0 Kudos

avatar
author-rank bleonhardi
Master Guru

Created ‎05-24-2016 12:30 PM

Hello Mike,

I would not use Knox unless you have to. HTTP protocol makes a lot of problems with clients. I would go with Ldap/pam for authentication in Hive ( has nothing to do with either ranger or knox ) and binary access. Then configure Ranger for autorization. ( or use sqlstdauth. )

3,259 Views

avatar
author-rank sshimpi
Super Guru

Created ‎05-24-2016 12:35 PM

@mike harding

Please check this tutorials for ranger and knox -

https://github.com/seanorama/masterclass/tree/master/security-advanced

https://github.com/abajwa-hw/security-workshops

Hope that helps.

3,259 Views

avatar
author-rank amcbarnett
Guru

Created on ‎05-24-2016 01:50 PM - edited ‎08-18-2019 04:20 AM

Ranger and Knox are NOT LDAP server. Use AD, Open LDAP or Free IPA. Ranger is ONLY for authorization NOT authentication

Here are you authentication options for Hive 4492-screen-shot-2016-05-23-at-20913-pm.png

However if you decide to enable Kerberos, then Hive authentication option is no longer LDAP directly but with Kerberos (and LDAP indiectly)

The Githubs given above are with Kerberos against FreeIPA or OpenLDAP (and for one node)

3,260 Views

avatar
author-rank mph
Expert Contributor

Created ‎05-24-2016 04:10 PM

Thanks for the information - so it seems like the simplest approach is to install openLDAP on one of my nodes and configure hiveserver2 to authenticate login requests against it.

I'm looking for the most straight forward / quickest approach to secure Hive therefore leaving out Kerberos for the time being seems like the best plan?

3,259 Views
0 Kudos

avatar
author-rank bleonhardi
Master Guru

Created ‎05-24-2016 04:27 PM

yeah ldap or use PAM. You can still kerberize your cluster. But you wouldn't do the hive authentication through it.

https://community.hortonworks.com/articles/591/using-hive-with-pam-authentication.html

3,259 Views
0 Kudos

avatar
author-rank mph
Expert Contributor

Created ‎05-24-2016 04:12 PM

p.s - am I correct in assuming that once this is setup I can install Ranger and sync user and group accounts to it and leverage its management UI to add/remove users on the LDAP server?

3,259 Views
0 Kudos

avatar
author-rank bleonhardi
Master Guru

Created ‎05-24-2016 04:28 PM

yes you would need to configure user sync with ldap/ad in the ranger ui. Alternatively use UNIX user sync in Ranger to sync with the local operating system. ( Works as well )

3,259 Views
0 Kudos
Announcements
What's New @ Cloudera
Cloudera Data Engineering 1.23: Access Spark from Your Favor...
What's New @ Cloudera
HBase REST server scaling support is Generally Available
What's New @ Cloudera
New CLI option in the update-database command
What's New @ Cloudera
New Action menu item in the Cloudera Operational Database UI
What's New @ Cloudera
Get the list of supported instance types in the Cloudera Ope...
View More Announcements