Discussion:
beeline connection to Hive using both Kerberos and LDAP with SSL
Mich Talebzadeh
2017-04-07 22:13:43 UTC
Permalink
Hi,

The Hive on CDH 5.9 uses Kerberos security mechanism.

We have an application that can connect to Impala with LDAP user/password
and SSL.

The problem is that Impala functionality is limited so the command sent via
application to impala do not work.

The problem is that the application does not support Kerberos connectivity
and only works with SSL and anonymous connection.

This works on Impala as Impala that runs by default on port 21000 spawns
port 21050 for user connections to Load balancer

Is there anyway one can enable both (Kerberos and LDAP with SSL) on Hive?


Thanks




Dr Mich Talebzadeh



LinkedIn * https://www.linkedin.com/profile/view?id=AAEAAAAWh2gBxianrbJd6zP6AcPCCdOABUrV8Pw
<https://www.linkedin.com/profile/view?id=AAEAAAAWh2gBxianrbJd6zP6AcPCCdOABUrV8Pw>*



http://talebzadehmich.wordpress.com


*Disclaimer:* Use it at your own risk. Any and all responsibility for any
loss, damage or destruction of data or any other property which may arise
from relying on this email's technical content is explicitly disclaimed.
The author will in no case be liable for any monetary damages arising from
such loss, damage or destruction.
Gopal Vijayaraghavan
2017-04-08 02:58:03 UTC
Permalink
Post by Mich Talebzadeh
Is there anyway one can enable both (Kerberos and LDAP with SSL) on Hive?
I believe what you're looking for is Apache Knox SSO. And for LDAP users, Apache Ranger user-sync handles auto-configuration.

That is how SSL+LDAP+JDBC works in the HD Cloud gateway [1].

There might be a similar solution from CDH, if you go digging for it.

Cheers,
Gopal
[1] - https://hortonworks.github.io/hdp-aws/security-network/#protected-gateway
Kapil Rastogi
2017-04-25 21:42:10 UTC
Permalink
Starting with CDH 5.7, clusters running LDAP-enabled HiveServer2
deployments also accept Kerberos authentication.

https://www.cloudera.com/documentation/enterprise/5-8-x/topics/cdh_sg_hiveserver2_security.html

Hope that helps.
Kapil
Post by Gopal Vijayaraghavan
Post by Mich Talebzadeh
Is there anyway one can enable both (Kerberos and LDAP with SSL) on Hive?
I believe what you're looking for is Apache Knox SSO. And for LDAP users,
Apache Ranger user-sync handles auto-configuration.
That is how SSL+LDAP+JDBC works in the HD Cloud gateway [1].
There might be a similar solution from CDH, if you go digging for it.
Cheers,
Gopal
[1] - https://hortonworks.github.io/hdp-aws/security-network/#
protected-gateway
Mich Talebzadeh
2017-04-30 17:20:55 UTC
Permalink
Thanks Kapil.

Does this mean that one can have both Kerberos and LDAP (with SSL) and use
either?

Cheers,

Mich

Dr Mich Talebzadeh



LinkedIn * https://www.linkedin.com/profile/view?id=AAEAAAAWh2gBxianrbJd6zP6AcPCCdOABUrV8Pw
<https://www.linkedin.com/profile/view?id=AAEAAAAWh2gBxianrbJd6zP6AcPCCdOABUrV8Pw>*



http://talebzadehmich.wordpress.com


*Disclaimer:* Use it at your own risk. Any and all responsibility for any
loss, damage or destruction of data or any other property which may arise
from relying on this email's technical content is explicitly disclaimed.
The author will in no case be liable for any monetary damages arising from
such loss, damage or destruction.
Post by Kapil Rastogi
Starting with CDH 5.7, clusters running LDAP-enabled HiveServer2
deployments also accept Kerberos authentication.
https://www.cloudera.com/documentation/enterprise/5-8-
x/topics/cdh_sg_hiveserver2_security.html
Hope that helps.
Kapil
Post by Gopal Vijayaraghavan
Post by Mich Talebzadeh
Is there anyway one can enable both (Kerberos and LDAP with SSL) on
Hive?
I believe what you're looking for is Apache Knox SSO. And for LDAP users,
Apache Ranger user-sync handles auto-configuration.
That is how SSL+LDAP+JDBC works in the HD Cloud gateway [1].
There might be a similar solution from CDH, if you go digging for it.
Cheers,
Gopal
[1] - https://hortonworks.github.io/hdp-aws/security-network/#prot
ected-gateway
Mich Talebzadeh
2017-05-02 18:29:19 UTC
Permalink
So it translates to either LDAP or Kerberos, we cannot enable both for same
Hive Server. SSL is independent. So the supported situations are as below.



1. Anonymous authentication (w/ or w/o SSL)
2. LDAP authentication (w/ or w/o SSL)
3. Kerberos

Cheers




Dr Mich Talebzadeh



LinkedIn * https://www.linkedin.com/profile/view?id=AAEAAAAWh2gBxianrbJd6zP6AcPCCdOABUrV8Pw
<https://www.linkedin.com/profile/view?id=AAEAAAAWh2gBxianrbJd6zP6AcPCCdOABUrV8Pw>*



http://talebzadehmich.wordpress.com


*Disclaimer:* Use it at your own risk. Any and all responsibility for any
loss, damage or destruction of data or any other property which may arise
from relying on this email's technical content is explicitly disclaimed.
The author will in no case be liable for any monetary damages arising from
such loss, damage or destruction.
Post by Mich Talebzadeh
Thanks Kapil.
Does this mean that one can have both Kerberos and LDAP (with SSL) and use
either?
Cheers,
Mich
Dr Mich Talebzadeh
LinkedIn * https://www.linkedin.com/profile/view?id=AAEAAAAWh2gBxianrbJd6zP6AcPCCdOABUrV8Pw
<https://www.linkedin.com/profile/view?id=AAEAAAAWh2gBxianrbJd6zP6AcPCCdOABUrV8Pw>*
http://talebzadehmich.wordpress.com
*Disclaimer:* Use it at your own risk. Any and all responsibility for any
loss, damage or destruction of data or any other property which may arise
from relying on this email's technical content is explicitly disclaimed.
The author will in no case be liable for any monetary damages arising from
such loss, damage or destruction.
Post by Kapil Rastogi
Starting with CDH 5.7, clusters running LDAP-enabled HiveServer2
deployments also accept Kerberos authentication.
https://www.cloudera.com/documentation/enterprise/5-8-x/
topics/cdh_sg_hiveserver2_security.html
Hope that helps.
Kapil
Post by Gopal Vijayaraghavan
Post by Mich Talebzadeh
Is there anyway one can enable both (Kerberos and LDAP with SSL) on
Hive?
I believe what you're looking for is Apache Knox SSO. And for LDAP
users, Apache Ranger user-sync handles auto-configuration.
That is how SSL+LDAP+JDBC works in the HD Cloud gateway [1].
There might be a similar solution from CDH, if you go digging for it.
Cheers,
Gopal
[1] - https://hortonworks.github.io/hdp-aws/security-network/#prot
ected-gateway
Loading...