1. 概述
1.1 目的
HiveServer2提供了JDBC链接操作Hive的功能,非常实用,但如果在使用HiveServer2时候,不注意安全控制,将非常危险,因为任何人都可以作为超级用户来操作Hive及HDFS数据。
1.2 认证方式
HiveServer2支持多种用户安全认证方式:NONE,NOSASL, KERBEROS, LDAP, PAM ,CUSTOM等等,本文采用CUSTOM。
2. 编写代码
- 所需jar包
commons-logging-1.2.jar
hadoop-common-2.7.3.jar
hive-service-2.1.1.jar
2.1 编写权限认证类
package org.apache.hive;
import javax.security.sasl.AuthenticationException;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.apache.hadoop.conf.Configurable;
import org.apache.hadoop.conf.Configuration;
import org.apache.hive.service.auth.PasswdAuthenticationProvider;
/**
* 权限认证类
*
* @author volitation
*
*/
public class CustomHiveServer2Auth implements PasswdAuthenticationProvider, Configurable {
private static final Log LOG = LogFactory.getLog(CustomHiveServer2Auth.class);
private Configuration conf = null;
private static final String HIVE_JDBC_PASSWD_AUTH_PREFIX = "hive.jdbc_passwd.auth.%s";
public CustomHiveServer2Auth() {
init();
}
public void init() {
}
public void Authenticate(String userName, String passwd) throws AuthenticationException {
LOG.info("user: " + userName + " try login.");
String passwdMD5 = getConf().get(String.format(HIVE_JDBC_PASSWD_AUTH_PREFIX, userName));
if (passwdMD5 == null) {
String message = "user's ACL configration is not found. user:" + userName;
LOG.info(message);
throw new AuthenticationException(message);
}
String md5 = new MD5().md5(passwd);
if (!md5.equals(passwdMD5)) {
String message = "user name and password is mismatch. user:" + userName;
throw new AuthenticationException(message);
}
LOG.info("user " + userName + " login system successfully.");
}
public Configuration getConf() {
if (conf == null) {
this.conf = new Configuration();
}
return conf;
}
public void setConf(Configuration arg0) {
this.conf = arg0;
}
}
2.2 编写MD5加密类
package org.apache.hive;
import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException;
/**
* MD5加密类
*
* @author volitation
*
*/
public class MD5 {
private MessageDigest digest;
private char hexDigits[] = { '0', '1', '2', '3', '4', '5', '6', '7', '8', '9', 'a', 'b', 'c', 'd', 'e', 'f' };
public MD5() {
try {
digest = MessageDigest.getInstance("MD5");
} catch (NoSuchAlgorithmException e) {
throw new RuntimeException(e);
}
}
public String md5(String str) {
byte[] btInput = str.getBytes();
digest.reset();
digest.update(btInput);
byte[] md = digest.digest();
// 把密文转换成十六进制的字符串形式
int j = md.length;
char strChar[] = new char[j * 2];
int k = 0;
for (int i = 0; i < j; i++) {
byte byte0 = md[i];
strChar[k++] = hexDigits[byte0 >>> 4 & 0xf];
strChar[k++] = hexDigits[byte0 & 0xf];
}
return new String(strChar);
}
public static void main(String[] args) {
String pwd = new MD5().md5("NFJD1234");
System.out.println(pwd);
}
}
2.3 配置pom,用Maven打jar包
<dependencies>
<dependency>
<groupId>hive-service</groupId>
<artifactId>hive-service</artifactId>
<version>2.1.1</version>
<scope>system</scope>
<systemPath>${basedir}/src/main/webapp/WEB-INF/lib/hive-service-2.1.1.jar</systemPath>
</dependency>
<dependency>
<groupId>commons-logging</groupId>
<artifactId>commons-logging</artifactId>
<version>1.2</version>
<scope>system</scope>
<systemPath>${basedir}/src/main/webapp/WEB-INF/lib/commons-logging-1.2.jar</systemPath>
</dependency>
<dependency>
<groupId>hadoop-common</groupId>
<artifactId>hadoop-common</artifactId>
<version>2.7.3</version>
<scope>system</scope>
<systemPath>${basedir}/src/main/webapp/WEB-INF/lib/hadoop-common-2.7.3.jar</systemPath>
</dependency>
</dependencies>
3. Hive配置
3.1 上传jar包
$ cp ~/hive-jar/hive-server2-2.1.1.jar /apps/svr/hive/apache-hive-2.1.1-bin/lib/
3.2 配置hive-site.xml
$ cd /apps/svr/hive/apache-hive-2.1.1-bin/ && vim conf/hive-site.xml
<property>
<name>hive.server2.thrift.port</name>
<value>10000</value>
</property>
<property>
<name>hive.server2.authentication</name>
<value>CUSTOM</value>
</property>
<property>
<name>hive.server2.custom.authentication.class</name>
<value>org.apache.hive.CustomHiveServer2Auth</value>
</property>
<!-- username:hadoop ; password:hadoop@123456 -->
<property>
<name>hive.jdbc_passwd.auth.hadoop</name>
<value>ad1e4c5f9de2ffb89455da5cc5aa6635</value>
<description/>
</property>
<!-- username:root ; password:root@123456 -->
<property>
<name>hive.jdbc_passwd.auth.root</name>
<value>f5fafdb9ec645a0cbf569e0a4590bacf</value>
<description/>
</property>
4. HiveServer2启动验证
4.1 启动hiveserver2
$ hive –service hiveserver2 &
4.2 验证(任选一用户连接)
$ beeline
beeline> !connect jdbc:hive2://192.168.9.87:10000 root root@123456
beeline> !connect jdbc:hive2://192.168.9.87:10000 hadoop hadoop@123456