hiveopenldaphortonworks-data-platformbeelineknox-gateway

HiveSever2 security using knox


CASE1: I want to secure hive using knox .So i did integration between hive ldap and knox. I am able to access hive server2 using excel and odbc driver using knox as well as jdbc as well But on sametime when i am testing default login on beeline/ODBC i am able to do it using below with any user and password which ideally should not happen

Connecting to jdbc:hive2://<hostip>:10001/default;transportMode=http;httpPath=cliservice

CASE2: I have enable LDAP authentication on hive-server2 , now default login to beeline is disable only LDAP is allowed using port 10001 . But know when i am testing it through knox , i am getting Invalid credentials error.

How can i disable default logins usings in case 1. Or if i have to use case 2 , how can i resolve this issue .


Solution

  • What you describe is the fact that your Hadoop deployment does not block direct access to the backend services with network security, firewalls, etc and that you have not secure the cluster with kerberos.

    This isn't really a Knox issue but instead a deployment issue with your cluster. If you do not firewall off your cluster and don't kerberize it then users can go directly to the services themselves and bypass the authentication mechanism in the gateway.

    Ideally, you would secure your cluster (including HiveServer2) which will require users to authenticate via kerberos/SPNEGO. Then Knox will be setup as a trusted proxy which will allow it to act on behalf of endusers in a particular set of group/s. Knox will authenticate as itself to HS2 and assert the identity of the end user for Hive jobs to run as/for.

    Hope that is helpful.