Securing HiveServer2 with LDAP Authentication

This guide explains how to secure remote client connections to HiveServer2 by configuring it to use Lightweight Directory Access Protocol for Authentication (LDAP). LDAP is a widely used protocol for directory services and is commonly used for managing user and group credentials.

By enabling the LDAP-based authentication, you can ensure that only authorized users, validated through your organization's directory service, can access HiveServer2.

Pre-requisites

Before configuring HiveServer2 for LDAP authentication, ensure the following:

You have access to an LDAP service (For example, Active Directory or OpenLDAP).
You have administrative access to the HiveServer2 hive-site.xml configuration file.
Beeline or a similar Hive client is installed on the system to test connections.

Enable the LDAP Authentication

To enable the LDAP authentication, you need to modify the hive-site.xml file, which configures HiveServer2.

Set the Authentication Mode to LDAP: The first step is to set the HiveServer2's authentication mode to LDAP.

Bash
    
 
<property>  <name>hive.server2.authentication</name>  <value>LDAP</value></property>
Copy

Configure the LDAP Server URL: Add the following property to specify the LDAP server's access URL.

Bash
    
 
<property>  <name>hive.server2.authentication.ldap.url</name>  <value>ldap://ldap_host_name:389</value></property>
Copy

Replace ldap_host_name:389 with your LDAP server’s hostname and port.

For example, ldap://ldap.company.com:389.

This URL allows HiveServer2 to connect to your LDAP server for authentication requests.

Configuring based on the LDAP Service Type

Depending on your LDAP service type, you need to add specific properties to hive-site.xml. Below are the configurations for Active Directory (AD) and OpenLDAP.

Active Directory (AD)

If you’re using Active Directory for authentication, configure the following property:

Bash
    
 
<property>  <name>hive.server2.authentication.ldap.Domain</name>  <value>corp.company.com</value></property>
Copy

Replace corp.company.com with your AD domain name.

You can leave the baseDN property empty for AD: If the property already exists.

Bash
    
 
<property>  <name>hive.server2.authentication.ldap.baseDN</name>  <value></value></property>
Copy

Other LDAP Services (E.g. OpenLDAP)

For other LDAP services, such as OpenLDAP, additional properties need to be configured.

OpenLDAP Configuration

hive.server2.authentication.ldap.baseDN: The base Distinguished Name for your LDAP directory. Replace ou=dev,dc=company,dc=com with your OpenLDAP base DN.

Bash
    
 
<property>  <name>hive.server2.authentication.ldap.baseDN</name>  <value>ou=dev,dc=company,dc=com</value></property>
Copy

Optional: User and Group Filtering with LDAP

If your LDAP users and groups are distributed across different Organizational Units (OUs), HiveServer2 allows you to apply filters and configure group membership. These properties are optional but useful in environments with complex LDAP structures.

hive.server2.authentication.ldap.groupDNPattern: Defines the DN pattern for LDAP groups. Replace with the appropriate pattern for your OpenLDAP groups.

Bash
    
 
<property>  <name>hive.server2.authentication.ldap.groupDNPattern</name>  <value>cn=%s,ou=groups,dc=company,dc=com</value></property>
Copy

hive.server2.authentication.ldap.userDNPattern: This property represents a pattern for the Distinguished Name (DN) for users in the directory. This value can be a single DN if the LDAP user entities are co-located under a single root or a colon-separated list of all DN patterns if users are distributed across different trees or forests.

Example 1 (Single DN)

Bash
    
 
<property>  <name>hive.server2.authentication.ldap.userDNPattern</name>  <value>uid=%s,ou=users,dc=company,dc=com</value></property>
Copy

In this example, all users are co-located under a single root ou=users,dc=company,dc=com. To search for the user foo, LDAPAtnProvider looks for the user with DN like uid=foo,ou=users,dc=company,dc=com.

Example 2 (Multiple DNs)

Bash
    
 
<property>  <name>hive.server2.authentication.ldap.userDNPattern</name>  <value>uid=%s,ou=users,dc=company,dc=com:cn=%s,ou=people,dc=company,dc=com</value></property>
Copy

The above pattern indicates that LDAP user entities may exist in two separate trees in the directory with different attributes in their DNs. (Note the colon separator.)

hive.server2.authentication.ldap.groupFilter: A filter to limit the LDAP groups considered for authentication. Example filter for OpenLDAP groups.

Bash
    
 
<property>  <name>hive.server2.authentication.ldap.groupFilter</name>  <value>(objectClass=posixGroup)</value></property>
Copy

hive.server2.authentication.ldap.userFilter: A filter to limit the LDAP users. Example filter for OpenLDAP user accounts.

If you have already added hive.server2.authentication.ldap.userDNPattern, no need to add userFilter.

Bash
    
 
<property>  <name>hive.server2.authentication.ldap.userFilter</name>  <value>(objectClass=posixAccount)</value></property>
Copy

Additional properties such as groupMembershipKey and groupClassKey can be configured similarly based on your LDAP schema. For detailed information, consult the OpenLDAP documentation.

Group Membership Key: Defines the LDAP attribute that holds group membership information.

Bash
    
 
<property>  <name>hive.server2.authentication.ldap.groupMembershipKey</name>  <value>memberOf</value></property>
Copy

Group Class Key: Defines the LDAP object class for groups.

Bash
    
 
<property>  <name>hive.server2.authentication.ldap.groupClassKey</name>  <value>groupOfNames</value></property>
Copy

For more advanced LDAP configurations, including multi-OU setups, refer to the Confluence Documentation on User and Group Filter Support.

Testing the LDAP Authentication with Beeline

Once you’ve configured LDAP, you must test the authentication setup using the Beeline client. The Beeline client allows you to establish a JDBC connection to HiveServer2 and authenticate against your LDAP directory.

For Binary Transport Mode

If HiveServer2 is configured to use binary transport mode (hive.server2.transport.mode=binary), use the following connection string:

beeline>!connect jdbc:hive2://node1:<port>/default

For HTTP Transport Mode

If HiveServer2 is using the HTTP transport mode (hive.server2.transport.mode=http), and the Thrift path is set to cliservice (hive.server2.thrift.http.path=cliservice), use the following connection string:

Bash
    
 
beeline>!connect jdbc:hive2://node1:<port>/default;transportMode=http;httpPath=cliservice
Copy

Make sure to replace node1 and <port> with the correct HiveServer2 host and port.

Conclusion

This guide provides the necessary steps to configure LDAP authentication for HiveServer2. By setting up either Active Directory or OpenLDAP, you can ensure secure access to HiveServer2, leveraging your existing LDAP infrastructure for authentication. For more advanced configurations and troubleshooting, please refer to the official documentation linked above.

By enhancing security with LDAP authentication, your HiveServer2 setup is better equipped to handle sensitive data access in a secure, managed way.

Last updated on Sep 23, 2024

Was this page helpful?