HiveServer2
HiveServer2 (HS2) is a server interface that enables remote clients to execute queries against hive and retrieve the results. The current thirft RPC based implementation is an improved version of HiveServer that supports multi-client concurrency and authentication. It is designed to provide better support for open API clients like JDBC and ODBC. The thrift IDL is available at https://github.com/apache/hive/blob/trunk/service/if/TCLIService.thrift
https://github.com/apache/hive/blob/trunk/service/if/TCLIService.thrift
This document describes how to setup the server. How to use a client with this server is described in Hive client setup doc .
Version
Introduced in Hive version 0.11. See HIVE-2935.
How to configure
Configuration properties in hive-site.xml
hive.server2.thrift.min.worker.threads - Number of minimum worker threads, default 5.
hive.server2.thrift.max.worker.threads - Number of minimum worker threads, default 100
hive.server2.thrift.port - Tcp port to listen on , default 10000
hive.server2.thrift.bind.host - Tcp interface to bind to
Optional Environment settings
HIVE_SERVER2_THRIFT_BIND_HOST - optional tcp host interface to bind to. Overrides the config file setting
HIVE_SERVER2_THRIFT_PORT - optional tcp port# to listen on, default 10000. Overrides the config file setting
How to start
$HIVE_HOME/bin/hiveserver2
OR
$HIVE_HOME/bin/hive --service hiveserver2
Authentication/Security configuration
HiveServer2 support Anonymous (no auth), Kerberos, pass through LDAP and pluggable custom authentication.
Configuration
hive.server2.authentication - Authentication mode, default NONE. Options are NONE, KERBEROS, LDAP and CUSTOM
hive.server2.authentication.kerberos.principal - Kerberos principal for server
hive.server2.authentication.kerberos.keytab - Keytab for server principal
hive.server2.authentication.ldap.url - LDAP url
hive.server2.authentication.ldap.baseDN - LDAP base DN
hive.server2.custom.authentication.class - Custom authentication class that implements org.apache.hive.service.auth.PasswdAuthenticationProvider interface
Impersonation
By default HiveServer2 performs the query processing as the user who submitted the query. If this parameter is set to false, the query would run as user hiveserver2 process runs as.
hive.server2.enable.doAs - Impersonate the connected user, default true
To prevent memory leak in unsecure mode, disable file system caches, by setting following params to true
fs.hdfs.impl.disable.cache - Disable hdfs filesystem cache, default false
fs.file.impl.disable.cache - Disable local filesystem cache, default false
Integrity/Confidentiality protection
Changes in HIVE-4911 which should be available in hive 0.12, enable integrity protection and confidentiality protection ( beyond just the default of authentication), for communication between hive jdbc driver and hive server2 . You can use SASL QOP property configure this.
- This is only when kerberos is used for the HS2 client (jdbc/odbc application) authentication with HS2.
- hive.server2.thrift.sasl.qop in hive site.xml has to be set to one of valid QOP values ('auth', 'auth-int' or 'auth-conf')
- specify sasl.qop in hive connection string sessionconf part of your jdbc hive connection string. eg jdbc:hive://hostname/dbname;sasl.qop=auth-int