MapR 5.0 Documentation : Connecting to HiveServer2

The method that HiveServer2 clients use to connect to HiveServer2  is based on the HiveServer2 Authentication method and the type of client:

Using ODBC to Connect to HiveServer2

For details on how to install and use ODBC to connect to Hive, see Hive ODBC Connector

The client must have a Kerberos ticket. See Example: Generating a Kerberos Ticket 

Using JDBC or Beeline to Connect to HiveServer2

HiveServer2 AuthenticationConnection Requirements
No Authentication

Connection String:
jdbc:hive2://<hostname>:10000/default

For encryption, JDBC requires a truststore and an optional truststore password.

  • Connection String with Encryption:
    jdbc:hive2://<host>:<port>/<database>;ssl=true;sslTrustStore=<path-to-truststore>;sslTrustStorePassword=<password>
  • Connection String with Encryption (truststore passed in JVM arguments):
    jdbc:hive2://<host>:<port>/<database>;ssl=true

    Prior to connecting to an application that uses JDBC,such as Beeline, you can run the following command to pass the truststore parameters as java arguments:
    e
    xport HADOOP_OPTS="-Djavax.net.ssl.trustStore=<path-to-trust-store-file> -Djavax.net.ssl.trustStorePassword=<password>"
MapR-SASL

Connection String:
jdbc:hive2://<hostname>:10000/default;auth=maprsasl

Connection String with Encryption (Hive 0.13 version):
jdbc:hive2://<hostname>:10000/default;auth=maprsasl;sasl.qop=auth-conf

Connection String with Encryption (Hive 1.0 version and above):
jdbc:hive2://<hostname>:10000/default;auth=maprsasl;saslQop=auth-conf

Connection for Java Application:
Use the -D flag to append the JVM argument: -Dhadoop.login=maprsasl

PAM

Connection String:
jdbc:hive2://hs2node:10000/default;user=<userid>;password=<password>

Kerberos

Connection String:
jdbc:hive2://<hostname>:10000/default;principal=mapr/<FQDN@REALM>

Connection String with Encryption (Hive 0.13 version):
jdbc:hive2://<hostname>:10000/default;principal=mapr/<FQDN@REALM>;sasl.qop=auth-conf

Connection String with Encryption (Hive 1.0 version and above):
jdbc:hive2://<hostname>:10000/default;principal=mapr/<FQDN@REALM>;saslQop=auth-conf

Connection for Java Application:
Use the -D flag to append the JVM argument: -Dhadoop.login=hybrid

The client nodes must also have a Kerberos ticket and be configured to connect to HiveServer to using Kerberos. See Example: Generating a Kerberos Ticket  and Authentication for HiveServer2.
LDAPConnection String:
jdbc:hive2://hs2node:10000/default;user=<userid>;password=<password>

Examples

Example: Using Beeline with Kerberos

Beeline must pass the Kerberos principal for HiveServer2 in the JDBC connection string. The connection strings you pass to Beeline must use the principal name that you configured for HiveServer2.

Ignore the prompts for the username and password.

See below for a sample Beeline authentication with Kerberos: 

Beeline version 0.11-mapr by Apache Hive
beeline> !connect jdbc:hive2://<hostname>:10000/default;principal=mapr/<FQDN@REALM>
scan complete in 3ms
Connecting to jdbc:hive2://<hostname>:10000/default;principal=mapr/<FQDN@REALM>
Enter username for jdbc:hive2://<hostname>:10000/default;principal=mapr/<FQDN@REALM>: 
Enter password for jdbc:hive2://<hostname>:10000/default;principal=mapr/<FQDN@REALM>: 
Connected to: Hive (version 0.11-mapr)
Driver: Hive (version 0.11-mapr)
Transaction isolation: TRANSACTION_REPEATABLE_READ
0: jdbc:hive2://<hostname>:10000/def> show tables;
+-----------+
| tab_name  |
+-----------+
| hcatkv    |
| kv        |
+-----------+
2 rows selected (1.348 seconds)

Example: Using Beeline with Encryption but no Authentication

$ beeline
Beeline version 0.11-mapr by Apache Hive
beeline> !connect jdbc:hive2://127.0.0.1:10000/default;ssl=true;sslTrustStore=truststore.jks;sslTrustStorePassword=tsp
scan complete in 4ms
Connecting to jdbc:hive2://127.0.0.1:10000/default;ssl=true;sslTrustStore=truststore.jks;sslTrustStorePassword=tsp
Enter username for jdbc:hive2://127.0.0.1:10000/default;ssl=true;sslTrustStore=truststore.jks;sslTrustStorePassword=tsp: qa-user1
Enter password for jdbc:hive2://127.0.0.1:10000/default;ssl=true;sslTrustStore=truststore.jks;sslTrustStorePassword=tsp: ****    
Connected to: Hive (version 0.11-mapr)
Driver: Hive (version 0.11-mapr)
Transaction isolation: TRANSACTION_REPEATABLE_READ
0: jdbc:hive2://127.0.0.1:10000/default> show tables;
+-------------------+
|     tab_name      |
+-------------------+
| table1            |
| table2            |
+-------------------+

Example: Using Beeline with Encryption but no Authentication (truststore parameters passed as JVM arguments)

$ beeline
Beeline version 0.11-mapr by Apache Hive
beeline> !connect jdbc:hive2://127.0.0.1:1000/default;ssl=true
scan complete in 4ms
Connecting to jdbc:hive2://127.0.0.1:10000/default;ssl=true
Enter username for jdbc:hive2://127.0.0.1:10000/default;ssl=true: qa-user1
Enter password for jdbc:hive2://127.0.0.1:10000/default;ssl=true: ****
Connected to: Hive (version 0.11-mapr)
Driver: Hive (version 0.11-mapr)
Transaction isolation: TRANSACTION_REPEATABLE_READ
0: jdbc:hive2://127.0.0.1:10000/default> show tables;
+-------------------+
|     tab_name      |
+-------------------+
| table1            |
| table2            |
+-------------------+


Example: Using Beeline with PAM Authentication 

~$ beeline 
Beeline version 0.11-mapr by Apache Hive 
beeline> !connect jdbc:hive2://<HiveServer2Host>:<port>/default 
scan complete in 4ms 
Connecting to jdbc:hive2://<HiveServer2Host>:<port>/default 
Enter username for jdbc:hive2://<HiveServer2Host>:<port>/default: mapr 
Enter password for jdbc:hive2://<HiveServer2Host>:<port>/default: ******* 
Hive history file=/tmp/mapr/hive_job_log_97d1cf06-bbf5-4abf-9bbb-d9ce56667fdf_941674138.txt 
Connected to: Hive (version 0.11-mapr) 
Driver: Hive (version 0.11-mapr) 
Transaction isolation: TRANSACTION_REPEATABLE_READ

 

Example: Generating a Kerberos Ticket

You use the kinit utility to generate the ticket and then use klist to verify that a ticket exists.

# kinit username/<FQDN@REALM>
# klist

Credentials cache: API:501:9
        Principal: username/<FQDN@REALM>
    Cache version: 0

Server: krbtgt/<FQDN@REALM>
Client: username/<FQDN@REALM>
Ticket etype: aes128-cts-hmac-sha1-96
Ticket length: 256
Auth time:  Jun 11 10:01:48 2014
End time:   Jun 12 18:01:34 2014
Renew till: Jun 18 10:01:48 2014
Ticket flags: pre-authent, initial, renewable, forwardable
Addresses: addressless