Using HiveServer2 - Authentication
To configure Hive for use with HiveServer2, include the following configuration properties in the .../hive-site.xml
configuration file.
<property> <name>hive.support.concurrency</name> <description>Enable Hive's Table Lock Manager Service</description> <value>true</value> </property> <property> <name>hive.zookeeper.quorum</name> <description>Zookeeper quorum used by Hive's Table Lock Manager</description> <value><zk node1>,<zk node2>,...,<zk nodeN></value> </property> <property> <name>hive.zookeeper.client.port</name> <value>5181</value> <description>The Zookeeper client port. The MapR default clientPort is 5181.</description> </property>
To implement custom authentication for HiveServer2, create a custom Authenticator class derived from the following interface:
public interface PasswdAuthenticationProvider { /** * The Authenticate method is called by the HiveServer2 authentication layer * to authenticate users for their requests. * If a user is to be granted, return nothing/throw nothing. * When a user is to be disallowed, throw an appropriate {@link AuthenticationException}. * * For an example implementation, see {@link LdapAuthenticationProviderImpl}. * * @param user - The username received over the connection request * @param password - The password received over the connection request * @throws AuthenticationException - When a user is found to be * invalid by the implementation */ void Authenticate(String user, String password) throws AuthenticationException; }
e.g.
ackage org.apache.hadoop.hive.contrib.auth; import javax.security.sasl.AuthenticationException; import org.apache.commons.logging.Log; import org.apache.commons.logging.LogFactory; import org.apache.hadoop.conf.Configurable; import org.apache.hadoop.conf.Configuration; import org.apache.hadoop.hive.contrib.utils.MD5Util; import org.apache.hive.service.auth.PasswdAuthenticationProvider; public class XXXXPasswdAuthenticator implements PasswdAuthenticationProvider,Configurable { private static final Log LOG=LogFactory.getLog(XXXXPasswdAuthenticator.class); private Configuration conf=null; private static final String HIVE_JDBC_PASSWD_AUTH_PREFIX="hive.jdbc_passwd.auth.%s"; public XXXXPasswdAuthenticator() { init(); } /** * */ public void init(){ } @Override public void Authenticate(String userName, String passwd) throws AuthenticationException { LOG.info("user: "+userName+" try login."); String passwdMD5 = getConf().get(String.format(HIVE_JDBC_PASSWD_AUTH_PREFIX, userName)); if(passwdMD5==null){ String message = "user's ACL configration is not found. user:"+userName; LOG.info(message); throw new AuthenticationException(message); } String md5 = MD5Util.md5Hex(passwd); if(!md5.equals(passwdMD5)){ String message = "user name and password is mismatch. user:"+userName; throw new AuthenticationException(message); } LOG.info("user "+userName+" login system successfully."); } @Override public Configuration getConf() { if(conf==null){ this.conf=new Configuration(); } return conf; } @Override public void setConf(Configuration arg0) { this.conf=arg0; } }
Add the following properties to the hive-site.xml file, then restart Hiveserver2:
<property> <name>hive.server2.authentication</name> <value>CUSTOM</value> </property> <property> <name>hive.server2.custom.authentication.class</name> <value>org.apache.hadoop.hive.contrib.auth.XXXXPasswdAuthenticator</value> </property>
User name and password would be set in hive-site.xml
<property> <name>hive.jdbc_passwd.auth.hive_user1</name> <value>b531c271de4552ca2dec510d318c87f9</value> <description/> </property> <property> <name>hive.jdbc_passwd.auth.hive_user2</name> <value>b531c271de4552ca2dec510d318c87f9</value> <description/> </property>