Starting in Hive 1.3.0, HIVE-7193 adds support in HiveServer2 for
Filters greatly enhance the functionality of the LDAP Authentication provider. They allow Hive to restrict the set of users allowed to connect to HiveServer2.
This enables HiveServer2 to enforce group membership for users. The authentication request will succeed if the user belongs to one or more of the groups listed in the Hive configuration file. If the user does not belong to at least one of the groups listed, the user authentication fails.
Two configuration parameters support group-membership based authentication:
hive.server2.authentication.ldap.groupDNPattern
hive.server2.authentication.ldap.groupFilter
This value represents a pattern for “distinguishedName” (DN) for groups in the directory. This value could be a single DN if the LDAP Group entities are co-located or could be a colon separated list of all DN patterns if the groups are scattered across different trees.
Each DN pattern can contain a “%s” in it that will be substituted with the group name (from the group filter) by the provider for group search queries.
Example 1 (single DN):
<property> <name> hive.server2.authentication.ldap.groupDNPattern </name> <value>CN=%s,OU=Groups,DC=apache,DC=org</value> </property> |
This indicates that all LDAP group entries are under the directory root “OU=Groups,DC=apache,DC=org”.
The LDAP Authentication Provider replaces the %s with the group name in the LDAP queries to locate the group entry. For example, if a group named “group1” is being queried for, it uses "CN=group1,OU=Groups,DC=apache,DC=org".
Example 2 (two DNs):
<property> <name> hive.server2.authentication.ldap.groupDNPattern </name> <value> CN=%s,OU=Groups,DC=apache,DC=org:uid=%s,CN=Users,DC=apache,DC=org </value> </property> |
The above pattern advises the LDAPAtnProvider that LDAP group entities can exist in two separate trees in the directory and can have different attributes in their DNs. (Note the colon separator.)
This value represents the group name filter that is to be enforced by the LDAPAtnProvider. All individual groups are represented using a comma separated list. The user MUST belong to one or more of these groups for the authentication request to succeed.
Example:
<property> <name>hive.server2.authentication.ldap.groupFilter</name> <value>group1,group2</value> </property> |
This enables HiveServer2 to restrict access to a specified list of users. If the user being authenticated is not part of this userlist, access will be denied.
Two configuration parameters support this feature:
hive.server2.authentication.ldap.userDNPattern
hive.server2.authentication.ldap.userFilter
This value represents a pattern for “distinguishedName” (DN) for users in the directory. This value could be a single DN if the LDAP User entities are co-located within a single root or could be a colon separated list of all DN patterns if the users are scattered across different trees/forests in the directory.
Each DN pattern can contain a “%s” in it that will be substituted with the username (from the user filter) by the provider for user search queries.
Example 1 (single DN):
<property> <name> hive.server2.authentication.ldap.userDNPattern </name> <value> CN=%s,CN=Users,DC=apache,DC=org </value> </property> |
In the example above, all users are co-located under a single root “CN=Users,DC=apache,DC=org”. To search for user “foo”, LDAPAtnProvider attempts to find the user with DN like “CN=foo,CN=Users,DC=apache,DC=org”.
Example 2 (two DNs):
<property> <name> hive.server2.authentication.ldap.userDNPattern </name> <value> CN=%s,OU=Users,DC=apache,DC=org:uid=%s,CN=UnixUsers,DC=apache,DC=org </value> </property> |
The above pattern advises the LDAPAtnProvider that LDAP user entities can exist in two separate trees in the directory and can have different attributes in their DNs. (Note the colon separator.)
This is a comma separated list of usernames to grant access to. The Atn provider grants access if the user being authenticated is part of this list, and denies access otherwise.
Example:
<property> <name> hive.server2.authentication.ldap.userFilter </name> <value> hive-admin,hive,hivetest,hive-user </value> </property> |
There are several LDAP implementations available for commercial use, with no standard attributes within each implementation. If either of the above filters do not meet the requirements for some unforeseen reasons, HiveServer2 can use a user-specified LDAP Query string to execute against the LDAP server. The returned result will then be used to adjudicate a GRANT/DENY decision to the authenticating user. To support this configuration, a new configuration property has been introduced.
Example:
<property> <name>hive.server2.authentication.ldap.customLDAPQuery</name> <value><![CDATA[(&(objectClass=person)(|(memberOf=CN=Domain Admins,CN=Users,DC=apache,DC=org)(memberOf=CN=Administrators,CN=Builtin,DC=apache,DC=org)))]]> </value> </property> |
The above query returns “All users that are members of the one of the groups (Domain Admins or Administrators)”. This offers a lot more flexibility that allows Hive users to customize the LDAP configuration for their implementation of LDAP.
The group membership parameters can be used in conjunction with the user lists to enforce a stricter access. The LDAP Atn provider adjudicates authentication decisions according to the following criteria: