大叔经验分享（135）hive开启ldap认证

hive-site.xml

1 接入ldap或ad域

<property>
    <name>hive.server2.authentication</name>
    <value>LDAP</value>
</property>
<property>
    <name>hive.server2.authentication.ldap.url</name>
<value>ldap://test.com</value>
</property>
<property>
    <name>hive.server2.authentication.ldap.Domain</name>
    <value>test.com</value>
</property>

2 执行sql使用登录账号而不是hive进程启动账号

<property>
    <name>hive.server2.enable.doAs</name>
    <value>true</value>
</property>

3 添加账号到admin

<property>
    <name>hive.users.in.admin.role</name>
    <value>username</value>
</property>

4 改为sql授权

<property>
    <name>hive.security.authorization.manager</name>
    <value>org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd.SQLStdConfOnlyAuthorizerFactory</value>
</property>

以上改完重启hive server

core-site.xml

1 允许hive进程启动账号切换到登录账号

<property>
   <name>hadoop.proxyuser.hive.hosts</name>
   <value>*</value>
</property>
<property>
   <name>hadoop.proxyuser.hive.groups</name>
   <value>*</value>
</property>

以上改完重启namenode

客户端连接

先进beeline，在用!connect命令连接

# beeline
beeline> !connect jdbc:hive2://$server:10000
Connecting to jdbc:hive2://$server:10000
Enter username for jdbc:hive2://$server:10000: username
Enter password for jdbc:hive2://$server:10000: *********
Connected to: Apache Hive (version 2.3.8)
Driver: Hive JDBC (version 2.3.8)
Transaction isolation: TRANSACTION_REPEATABLE_READ
 
0: jdbc:hive2://$server:10000> set role admin

参考：
https://cwiki.apache.org/confluence/display/hive/languagemanual+authorization
https://cwiki.apache.org/confluence/display/Hive/Setting+Up+HiveServer2#SettingUpHiveServer2-Authentication/SecurityConfiguration
https://cwiki.apache.org/confluence/display/Hive/SQL+Standard+Based+Hive+Authorization
https://docs.cloudera.com/HDPDocuments/HDP2/HDP-2.6.5/bk_data-access/content/ch02s05s02.html