Authentication Mechanisms

To connect to a Hive server, you must configure the Simba Apache Hive JDBC Connector to use the authentication mechanism that matches the access requirements of the server and provides the necessary credentials. To determine the authentication settings that your Hive server requires, check the server configuration and then refer to the corresponding section below.

Hive Server 2

Hive Server 2 supports the following authentication mechanisms:

No Authentication (see Using No Authentication)
JWT (see Using JSON Web Token (JWT))
Kerberos (see Using Kerberos)
User Name (see Using User Name)
User Name And Password (see Using User Name And Password)
Hadoop Delegation Token (see Using a Hadoop Delegation Token)

Most default configurations of Hive Server 2 require User Name authentication. If you are unable to connect to your Hive server using User Name authentication, then verify the authentication mechanism configured for your Hive server by examining the hive-site.xml file. Examine the following properties to determine which authentication mechanism your server is set to use:

hive.server2.authentication: This property sets the authentication mode for Hive Server 2. The following values are available:
- NONE enables plain SASL transport. This is the default value.
- NOSASL disables the Simple Authentication and Security Layer (SASL).
- KERBEROS enables Kerberos authentication and delegation token authentication.
- PLAINSASL enables user name and password authentication using a cleartext password mechanism.
- LDAP enables user name and password authentication using the Lightweight Directory Access Protocol (LDAP).
hive.server2.enable.doAs: If this property is set to the default value of TRUE, then Hive processes queries as the user who submitted the query. If this property is set to FALSE, then queries are run as the user that runs the hiveserver2 process.

The following table lists the authentication mechanisms to configure for the connector based on the settings in the hive-site.xml file.

hive.server2.authentication	hive.server2.enable.doAs	Connector Authentication Mechanism
`NOSASL`	`FALSE`	No Authentication
`KERBEROS`	`TRUE` or `FALSE`	Kerberos
`KERBEROS`	`TRUE`	Delegation Token
`NONE`	`TRUE` or `FALSE`	User Name
`PLAINSASL` or `LDAP`	`TRUE` or `FALSE`	User Name And Password

Note:

It is an error to set hive.server2.authentication to NOSASL and hive.server2.enable.doAs to true. This configuration will not prevent the service from starting up, but results in an unusable service.

For more information about authentication mechanisms, refer to the documentation for your Hadoop / Hive distribution. See also "Running Hadoop in Secure Mode" in the Apache Hadoop documentation: http://hadoop.apache.org/docs/r0.23.7/hadoop-project-dist/hadoop-common/ClusterSetup.html#Running_Hadoop_in_Secure_Mode.

Using No Authentication

When hive.server2.authentication is set to NOSASL, you must configure your connection to use No Authentication.

Using Kerberos

When connecting to a Hive Server 2 instance and hive.server2.authentication is set to KERBEROS, you must configure your connection to use Kerberos or Delegation Token authentication.

Using User Name

When connecting to a Hive Server 2 instance and hive.server2.authentication is set to NONE, you must configure your connection to use User Name authentication. Validation of the credentials that you include depends on hive.server2.enable.doAs:

If hive.server2.enable.doAs is set to TRUE, then the server attempts to map the user name provided by the connector from the connector configuration to an existing operating system user on the host running Hive Server 2. If this user name does not exist in the operating system, then the user group lookup fails and existing HDFS permissions are used. For example, if the current user group is allowed to read and write to the location in HDFS, then read and write queries are allowed.
If hive.server2.enable.doAs is set to FALSE, then the user name in the connector configuration is ignored.

If no user name is specified in the connector configuration, then the connector defaults to using hive as the user name.

Using User Name And Password

When connecting to a Hive Server 2 instance and the server is configured to use the SASL-PLAIN authentication mechanism with a user name and a password, you must configure your connection to use User Name And Password authentication.