Hive Authentication

The authentication method that you configure for the Hive Metastore, HiveServer2, and WebHcat determines how these Hive components access and connect to each other.

Clients of these components may require additional configuration and specific connection strings based on the selected authentication method.

To enable and use authentication for Hive, complete the following steps:

  1. Determine which authentication methods are supported for each component and its clients.
  2. Configure authentication for Hive components and their clients. See the following topics:
  3. Determine how clients connect to each component. See Connecting to Hive.

Hive Metastore Authentication Support

The following table describes the different supported authentication methods for Hive Metastore and how it impacts the authentication options for its clients:

Data Fabric Cluster Hive Metastore (Remote) Authentication HiveServer 2 Authentication Options WebHCat Authentication Options
Secure

NONE

  • NONE
  • KERBEROS
  • LDAP
  • PAM
  • CUSTOM
  • MAPRSASL
  • NOSASL

PAM

Secure

KERBEROS

KERBEROS

KERBEROS with SPNEGO

Secure

MAPRSASL (default)*

MAPRSASL (default)*

PAM

Not Secure

NONE

NONE

Simple authentication with <user.name> only

*As of Hive 0.13-1504 and Hive 1.0-1504, Hive Metastore supports MapR-SASL and MapR-SASL is enabled by default when the Data Fabric cluster is secure.

HiveServer2 Authentication Support

The following table describes the different supported authentication option for HiveServer2 based on the authentication method configured for Hive Metastore:

Data Fabric Cluster Hive Metastore (Remote) Authentication HiveServer 2 Authentication Options
Secure NONE

NONE

Secure

NONE

KERBEROS
Secure

NONE

LDAP
Secure

NONE

PAM (default)*
Secure

NONE

CUSTOM
Secure

NONE

MAPRSASL*
Secure

KERBEROS

KERBEROS

Secure

MAPRSASL (default)*

MAPRSASL*

Not Secure

NONE

NONE

*As of Hive 0.13-1510, Hive 1.0-1510, and Hive 1.2.1-1510, PAM and MapR-SASL are enabled by default when the cluster is secure. In Hive 0.13-1508 and Hive 1.0-1508, PAM is enabled by default when the cluster is secure. In Hive 0.13-1504 and Hive 1.0-1504, MapR-SASL is supported and enabled by default when the Data Fabric cluster is secure.

Clients of HiveServer2 authenticate with the same authentication method that is configured for HiveServer2. Clients of HiveServer 2 include ODBC, JDBC, and Beeline.

NOTE
Connections to HiveServer2 using ODBC do not support MapR-SASL.

WebHCat Authentication Support

The following table describes the different authentication options for WebHCat based on the authentication method configured for Hive Metastore :

Data Fabric Cluster Hive Metastore (Remote) Authentication WebHCat Authentication
Secure

KERBEROS

KERBEROS with SPNEGO

Secure KERBEROS PAM
Secure

MAPRSASL (default)*

PAM
Not Secure

NONE

Simple authentication with user.name only
*As of Hive 0.13-1504 and Hive 1.0-1504, Hive Metastore supports MapR-SASL and MapR-SASL is enabled by default when the Data Fabric cluster is secure.

Clients of WebHCat authenticate with the same authentication method that is configured for WebHCat. Web browsers are clients of WebHCat.

Description of Security Values

The following table describes the different security values:

Authentication Options Description
NONE

No authentication check

LDAP LDAP/AD based authentication
KERBEROS

Kerberos/GSSAPI authentication

CUSTOM

Custom authentication provider (use with property hive.server2.custom.authentication.class)

PAM

Pluggable authentication module

NOSASL

Raw transport

MAPRSASL

MapR SASL security