1. 程式人生 > >四、openldap整合hive

四、openldap整合hive

一、配置整合hive使用者

適合cdh5.7.6+的版本的hive,cdh5.5.0版本的hive會出現如下問題:

2018-08-23 13:59:48,304 ERROR [HiveServer2-Handler-Pool: Thread-29]: transport.TSaslTransport (TSaslTransport.java:open(315)) - SASL negotiation failure
javax.security.sasl.SaslException: Error validating the login [Caused by javax.security.sasl.AuthenticationException: LDAP Authentication failed for user [Caused by javax.naming.InvalidNameException: [LDAP: error code 34 - invalid DN]]]
at org.apache.hive.service.auth.PlainSaslServer.evaluateResponse(PlainSaslServer.java:109)
at org.apache.thrift.transport.TSaslTransport S

a s l P a r t i c i
p a n t . e v a l u
a t e C h a l l e n g e O r R e s p o n s e ( T S a s l T r a n s p o r t . j a v a : 539 ) a t o r g . a p a c h e . t h r i f t . t r a n s p o r t . T S a s l T r a n s p o r t . o p e n ( T S a s l T r a n s p o r t . j a v a : 283 ) a t o r g . a p a c h e . t h r i f t . t r a n s p o r t . T S a s l S e r v e r T r a n s p o r t . o p e n ( T S a s l S e r v e r T r a n s p o r t . j a v a : 41 ) a t o r g . a p a c h e . t h r i f t . t r a n s p o r t . T S a s l S e r v e r T r a n s p o r t SaslParticipant.evaluateChallengeOrResponse(TSaslTransport.java:539) at org.apache.thrift.transport.TSaslTransport.open(TSaslTransport.java:283) at org.apache.thrift.transport.TSaslServerTransport.open(TSaslServerTransport.java:41) at org.apache.thrift.transport.TSaslServerTransport Factory.getTransport(TSaslServerTransport.java:216)
at org.apache.thrift.server.TThreadPoolServer W o r k e r P r o c e s s . r u n ( T T h r e a d P o o l S e r v e r . j a v a : 268 ) a t j a v a . u t i l . c o n c u r r e n t . T h r e a d P o o l E x e c u t o r . r u n W o r k e r ( T h r e a d P o o l E x e c u t o r . j a v a : 1142 ) a t j a v a . u t i l . c o n c u r r e n t . T h r e a d P o o l E x e c u t o r WorkerProcess.run(TThreadPoolServer.java:268) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) at java.util.concurrent.ThreadPoolExecutor Worker.run(ThreadPoolExecutor.java:617)
at java.lang.Thread.run(Thread.java:748)
Caused by: javax.security.sasl.AuthenticationException: LDAP Authentication failed for user [Caused by javax.naming.InvalidNameException: [LDAP: error code 34 - invalid DN]]
at org.apache.hive.service.auth.LdapAuthenticationProviderImpl.Authenticate(LdapAuthenticationProviderImpl.java:266)
at org.apache.hive.service.auth.PlainSaslHelper$PlainServerCallbackHandler.handle(PlainSaslHelper.java:106)
at org.apache.hive.service.auth.PlainSaslServer.evaluateResponse(PlainSaslServer.java:102)
… 8 more
Caused by: javax.naming.InvalidNameException: [LDAP: error code 34 - invalid DN]
at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:3077)
at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2883)
at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2797)
at com.sun.jndi.ldap.LdapCtx.(LdapCtx.java:319)
at com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:192)
at com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(LdapCtxFactory.java:210)
at com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(LdapCtxFactory.java:153)
at com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactory.java:83)
at javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:684)
at javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:313)
at javax.naming.InitialContext.init(InitialContext.java:244)
at javax.naming.InitialContext.(InitialContext.java:216)
at javax.naming.directory.InitialDirContext.(InitialDirContext.java:101)
at org.apache.hive.service.auth.LdapAuthenticationProviderImpl.Authenticate(LdapAuthenticationProviderImpl.java:159)
… 10 more

hiveserver2可以使用kerberos或者ldap進行鑑權。hiveserver2使用ldap進行鑑權,客戶端訪問hiveserver則可以使用使用者名稱和密碼進行校驗登入hiveserver2。通過hive進行登入需注意使用者具有登入許可權,編輯hive_user.ldif配置檔案。

#新增hive分支,用於存放hive相關使用者和組資訊
dn: ou=hive,dc=bigdata,dc=ly
ou: hive
objectClass: top
objectClass: organizationalUnit
​
#新增hive使用者分支
dn: cn=People,ou=hive,dc=bigdata,dc=ly
cn: People
objectClass: organizationalRole
​
#FLIGHTDAP賬戶
dn: uid=fight,cn=People,ou=hive,dc=bigdata,dc=ly
objectClass: inetOrgPerson
uid: fight
sn: fight
cn: fight
userPassword: {SSHA}oFRigOdzHpq7laDh6E+OOqJQT36gubNF
​
#biadminD賬戶
dn: uid=biadmin,cn=People,ou=hive,dc=bigdata,dc=ly
objectClass: inetOrgPerson
uid: biadmin
sn: biadmin
cn: biadmin
userPassword: {SSHA}oFRigOdzHpq7laDh6E+OOqJQT36gubNF
​
#train賬戶
dn: uid=train,cn=People,ou=hive,dc=bigdata,dc=ly
objectClass: inetOrgPerson
uid: train
sn: train
cn: train
userPassword: {SSHA}oFRigOdzHpq7laDh6E+OOqJQT36gubNF
​
#新增system分組,使用者儲存系統使用者,提供外界訪問的openldap使用者
dn: cn=System,ou=hive,dc=bigdata,dc=ly
cn: System
objectClass: organizationalRole
​
#新增hive分組的只讀許可權
dn: uid=hive_read,cn=System,ou=hive,dc=bigdata,dc=ly
objectClass: inetOrgPerson
uid: hive_read
sn: hive_read
cn: hive_read
userPassword: {SSHA}oFRigOdzHpq7laDh6E+OOqJQT36gubNF
​
#新增hive分組的讀寫許可權
dn: uid=hive_write,cn=System,ou=hive,dc=bigdata,dc=ly
objectClass: inetOrgPerson
uid: hive_write
sn: hive_write
cn: hive_write
userPassword: {SSHA}oFRigOdzHpq7laDh6E+OOqJQT36gubNF

執行如下命令,將gp的賬戶資訊匯入到openldap中:

ldapadd -x -D "cn=admin,dc=bigdata,dc=ly" -w 1234 -f hive_user.ldif -H ldap://10.100.203.117:18888

配置ou=hive,dc=bigdata,dc=ly條目資料的訪問許可權,編輯檔案hive_acl.ldif檔案,新增內容如下,設定使用者uid=hive_read,cn=System,ou=hive,dc=bigdata,dc=ly對ou=hive,dc=bigdata,dc=ly只用只讀許可權,uid=hive_write,cn=System,ou=hive,dc=bigdata,dc=ly有讀寫許可權。

dn: olcDatabase={2}mdb,cn=config
changetype: modify
add: olcAccess
olcAccess: to dn.subtree="ou=hive,dc=bigdata,dc=ly"
    by dn.base="uid=hive_read,cn=System,ou=hive,dc=bigdata,dc=ly" read
    by dn.base="uid=hive_write,cn=System,ou=hive,dc=bigdata,dc=ly" write
    by dn.children="cn=People,ou=hive,dc=bigdata,dc=ly" read
    by * auth

執行如下命令,將配置匯入到配置檔案中去:

ldapmodify -x -D "cn=config" -w 1234 -f hive_acl.ldif -H ldap://10.100.203.117:18888

二、配置整合hive

hiveserver2可以使用kerberos或者ldap進行鑑權。hiveserver2使用ldap進行鑑權,客戶端訪問hiveserver則可以使用使用者名稱和密碼進行校驗登入hiveserver2。在hive-site.xml配置檔案中新增如下內容

<property>
  <name>hive.server2.authentication</name>
  <value>LDAP</value>
</property>
<property>
  <name>hive.server2.authentication.ldap.url</name>
  <value>ldap://10.100.203.117:18888</value>
</property>
<property>
  <name>hive.server2.authentication.ldap.baseDN</name>
  <value>cn=People,ou=hive,dc=bigdata,dc=ly</value>
</property>

重啟hiveserver2。

nohup hive --service hiveserver2 &

使用beeline連線hiveserver2。

$HIVE_HOME/bin/beeline
!connect jdbc:hive2://10.100.110.194:10000
#或者使用如下方法
$HIVE_HOME/bin/beeline -u jdbc:hive2://10.100.110.194:10000 -n train -p 1234