Configuring Hive for SCRAM Token Authentication

This topic describes the manual and automatic options to configure Hive for SCRAM token authentication.

Starting from EEP 8.1.0, Hive supports SCRAM token and SCRAM-SHA-256 authentication in HPE Ezmeral Data Fabric.

Table 1. Description of hive.delegation.token.authentication
# Property Data Type Default value Description
1 hive.delegation.token.authentication String DIGEST Delegation token authentication method. Possible values are DIGEST, SCRAM

To connect to HiveServer2 on EEP 8.1.0 from Hive client on EEP 8.0.x, set hive.delegation.token.authentication property in HPE Ezmeral Data Fabric.

Manually Configuring SCRAM Token Authentication

To configure SCRAM token and SCRAM-SHA-256 authentication, set the following property on HIVE_HOME/conf/hive-site.xml file:
<property>
    <name>hive.delegation.token.authentication</name>    
    <value>SCRAM</value>  
</property> 

The default value for hive.delegation.token.authentication is DIGEST.

To use hive.delegation.token.authentication for Hive, configure Hadoop for SCRAM:
  • Set the value of hadoop.security.token.authentication.method property to SCRAM-SHA-256 in yarn-site.xml file.
  • Set scram.password property and ensure encrypted password file is available in file system.
To learn more, see Hadoop documentation.

Auto Configuring SCRAM Token Authentication

Execute MAPR_HOME/server/configure.sh -R script on a newly installed MapR-SASL or KERBEROS secured cluster to automatically configure the following authentications:

  1. For a FIPS enabled cluster, Hive configures hive.delegation.token.authentication=SCRAM authentication.
  2. For a non-FIPS cluster if you configure Hadoop with hadoop.security.token.authentication.method=SCRAM authentication, Hive configures the SCRAM authentication.
  3. For other clusters, Hive configures hive.delegation.token.authentication=DIGEST authentication.

For non-secure clusters, Hive configures hive.delegation.token.authentication=DIGEST authentication.

You can see hive.delegation.token.authentication property in HIVE_HOME/conf/hive-site.xml when you execute configure.sh command on newly installed cluster.

When you upgrade Hive, the upgrade does not update the value of the set hive.delegation.token.authentication property.

Manually set the value of hive.delegation.token.authentication property when you change the cluster settings from FIPS to non-FIPS or from non-FIPS to FIPS.