Authentication for Hive Metastore

You can configure authentication for in-bound client connections to the Hive Metastore when the metastore is remote, not embedded. Clients of Hive Metastore include the HiveCLI, HCatalog, HiveServer2, and WebHCat.
Hive Metastore supports the following authentication methods:
  • MapR-SASL authentication
  • Kerberos Authentication

To configure authentication for Hive Metastore, add the following property to hive-site.xml.

<property>
  <name>hive.metastore.sasl.enabled</name>
  <value>true</value>
  <description>if true, the metastore thrift interface will be secured with SASL</description>
</property>

MapR-SASL Authentication

MapR-SASL is available starting with the 1504 release of Hive 0.13 and Hive 1.0 and it is the default authentication method when the cluster is secure.

Configuring Hive Metastore to use MapR-SASL

When the cluster is secure, the following default settings in /opt/mapr/conf/env.sh configure the node to use MapR-SASL:

  • MAPR_HIVE_LOGIN _OPTS="-Dhadoop.login=maprsasl"
  • MAPR_HIVE_SERVER_LOGIN_OPTS="-Dhadoop.login=maprsasl_keytab"

Configuring Hive Metastore Clients to use MapR-SASL when authenticating with Hive Metastore

When the cluster is secure, the following default setting in /opt/mapr/conf/env.sh configures the node to use MapR-SASL:

  • MAPR_HIVE_LOGIN _OPTS="-Dhadoop.login=maprsasl"

Hive Metastore clients must provide a valid MapR ticket to connect to the Hive Metastore. See Connecting to Hive for details.

Kerberos Authentication

When the cluster is secure, you can configure Hive Metastore to use Kerberos authentication. You must also configure Hive Metastore clients to use Kerberos when authenticating with Hive Metastore.