This Confluence has been LDAP enabled, if you are an ASF Committer, please use your LDAP Credentials to login. Any problems file an INFRA jira ticket please.

Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 10 Next »

HiveServer2

HiveServer2 (HS2) is a server interface that enables remote clients to execute queries against hive and retrieve the results. The current thirft RPC based implementation is an improved version of HiveServer that supports multi-client concurrency and authentication. It is designed to provide better support for open API clients like JDBC and ODBC. The thrift IDL is available at https://github.com/apache/hive/blob/trunk/service/if/TCLIService.thrift

https://github.com/apache/hive/blob/trunk/service/if/TCLIService.thrift

This document describes how to setup the server. How to use a client with this server is described in Hive client setup doc .

Version

Introduced in Hive version 0.11. See HIVE-2935.

How to configure

Configuration properties in hive-site.xml

hive.server2.thrift.min.worker.threads - Number of minimum worker threads, default 5.
hive.server2.thrift.max.worker.threads - Number of minimum worker threads, default 100
hive.server2.thrift.port - Tcp port to listen on , default 10000
hive.server2.thrift.bind.host - Tcp interface to bind to

Optional Environment settings

HIVE_SERVER2_THRIFT_BIND_HOST - optional tcp host interface to bind to. Overrides the config file setting
HIVE_SERVER2_THRIFT_PORT - optional tcp port# to listen on, default 10000. Overrides the config file setting

How to start

$HIVE_HOME/bin/hiveserver2

OR

$HIVE_HOME/bin/hive --service hiveserver2

Authentication/Security configuration

HiveServer2 support Anonymous (no auth), Kerberos, pass through LDAP and pluggable custom authentication.

Configuration

hive.server2.authentication - Authentication mode, default NONE. Options are NONE, KERBEROS, LDAP and CUSTOM
hive.server2.authentication.kerberos.principal - Kerberos principal for server
hive.server2.authentication.kerberos.keytab - Keytab for server principal
hive.server2.authentication.ldap.url - LDAP url
hive.server2.authentication.ldap.baseDN - LDAP base DN
hive.server2.custom.authentication.class - Custom authentication class that implements org.apache.hive.service.auth.PasswdAuthenticationProvider interface

Impersonation

By default HiveServer2 performs the query processing as the user who submitted the query. If this parameter is set to false, the query would run as user hiveserver2 process runs as.

hive.server2.enable.doAs - Impersonate the connected user, default true

To prevent memory leak in unsecure mode, disable file system caches, by setting following params to true

fs.hdfs.impl.disable.cache - Disable hdfs filesystem cache, default false
fs.file.impl.disable.cache - Disable local filesystem cache, default false

Integrity/Confidentiality protection

Changes in HIVE-4911 which should be available in hive 0.12, enable integrity protection and confidentiality protection ( beyond just the default of authentication), for communication between hive jdbc driver and hive server2 . You can use SASL QOP property configure this.

  • This is only when kerberos is used for the HS2 client (jdbc/odbc application) authentication with HS2.
  • hive.server2.thrift.sasl.qop in hive site.xml has to be set to one of valid QOP values ('auth', 'auth-int' or 'auth-conf')
  • No labels