Support Questions

Find answers, ask questions, and share your expertise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Advanced Search
Announcements
Check out our newest addition to the community, the Cloudera Data Analytics (CDA) group hub.

sentry + ldap + hive confuse

rube
Contributor

Created on ‎02-04-2016 05:47 PM - edited ‎09-16-2022 03:02 AM

hi,

 

"HiveServer2 and the Hive Metastore running with strong authentication. For HiveServer2, strong authentication is either Kerberos or LDAP. For the Hive Metastore, only Kerberos is considered strong authentication."

 

Is that mean if I want sentry work with ldap authentication hive,hive metastore must run with kerbreos,and hive server2 run with ldap.It makes me confused,how to config hive-site.xml. 

 

 

regards

 

rube

4,601 Views
0 Kudos
6 REPLIES 6

Tomcat899
New Contributor

Created ‎02-25-2016 11:33 AM

For production environment, Kerberos is the best method of authentication.
If you want to do a proof of concept, LDAP can be used for securing Hive. To override the kerberos requirement, the following property has to be set in sentry-site.xml
<property>
<name>sentry.hive.testing.mode</name>
<value>true</value>
</property>

All other LDAP properties can be set on the Hive configuration page on CM.
4,552 Views
0 Kudos

SpiveyBen
Cloudera Employee

Created ‎02-28-2016 04:19 PM

Kerberos authentication is a given for a secure environment.  However, it absolutely makes sense to also provide LDAP authentication for JDBC/ODBC clients.  This is common.  Currently you need to choose either Kerberos or LDAP for a single HiveServer2, but this is changing imminently to be like Impalad, where a single instance can support either authentication method.  Keep in mind that this is just authentication from clients to the service.  From that service to the rest of the internal cluster, Kerberos is used.

4,526 Views

rube
Contributor

Created ‎02-28-2016 07:42 PM

https://community.cloudera.com/t5/Batch-SQL-Apache-Hive/hive-ldap-LDAP-error-code-34-invalid-DN/m-p/...
CDH5.5.x,ldap+hive do not work,but CDH5.4.X is ok.
Can you help me out?
4,519 Views
0 Kudos

mjarnold
Contributor

Created ‎02-29-2016 11:19 AM

SpiveyBen,

 

Is there some sort of roadmap/timeline for support of both LDAP and Kerberos for HS2 clients?

4,507 Views
0 Kudos

soundy
New Contributor

Created ‎02-06-2018 08:04 AM

Please can you ellaborate on this ? Is the feature, to support either LDAP or Kerberos Authentication for HS2 already part of the latest/current CDH release? I did not find good documentation for setting up Sentry + Hive - to support HS2 with LDAP authentication in non-testing mode.

3,411 Views
0 Kudos

SpiveyBen
Cloudera Employee

Created ‎02-06-2018 08:07 AM

@soundy Yes the feature already exists in CDH to allow HiveServer2 to be configured for both Kerberos and LDAP authentication at the same time, just like Impala.  You don't need any "testing mode" configurations or anything like that.

3,409 Views
0 Kudos
Take a Tour of the Community
Don't have an account?
Register
Your experience may be limited. Sign in to explore more.
Announcements
What's New @ Cloudera
Cloudera Operational Database (COD) UI supports creating a smaller cluster using a predefined Data Lake template
What's New @ Cloudera
Cloudera Operational Database (COD) supports scaling up the clusters vertically
Product Announcements
CDP Public Cloud: April 2023 Release Summary
What's New @ Cloudera
Cloudera Machine Learning launches "Add Data" feature to simplify data ingestion
What's New @ Cloudera
Simplify Data Access with Custom Connection Support in CML
View More Announcements