2.06 - Hive Target Connector Security Guidelines - Teradata QueryGrid

Teradata® QueryGrid™ Installation and User Guide

Product
Teradata QueryGrid
Release Number
2.06
Published
September 2018
Language
English (United States)
Last Update
2018-11-26
dita:mapPath
blo1527621308305.ditamap
dita:ditavalPath
ft:empty

General

When setting parameters for Hive target connectors in NVP link pairings, make sure the setting of the Conf File Paths property has the correct pathname correct value. QueryGrid heavily depends on this setting when processing data transfers. See Hive Connector and Link Properties.

Kerberos

You can set up QueryGrid to use Kerberos authentication with a Hive target connector. It uses two forms of authentication with Kerberos:

Username/Password
The Hive target connector authenticates the username and password against Kerberos before sending the query to the data source.
Username/Keytab
Hive can be configured to enable Kerberos Keytab authentication.
If you are using a Hive target connector in an NVP link pairing to access a Kerberized Hadoop cluster:
  • Select Kerberos for the Authentication Mechanism property.
  • Set it to HS2 Only if only the HiveServer2 is secured (for example, LDAP/CUSTOM/PAM). This is not a common setup.
  • Verify that the Teradata QueryGrid (tdqg) user has permission to run kinit. See Verifying Permission to Run kinit.

Knox (HDP Only)

The Hive target connector supports most security mechanisms and protocols for Hadoop and HiveServer2. Knox is served as a gateway service between Hive and HiveServer2. The Hive connector connects to the Knox service if Knox is configured in the Hive connector properties. Requests from the Hive connector are sent to the Knox service and Knox then redirects the request to HiveServer2. You must configure the connection between Knox and HiveServer2.

There is a limitation with Knox when SSL is enabled and Knox is connecting to HiveServer2 using SPNEGO authorization. In this scenario, Knox does not work with Hive.

If using Knox on a Hortonworks Hadoop (HDP) implementation, make sure the following NVP link properties contain the correct values:

Setting Description
Authentication Mechanism Required setting.
Username Set only if using Kerberos or HS2-only security.

For example, LDAP, CUSTOM, or PAMs

Password Set only if using Kerberos or HS2-only security.
Conf File Paths Required setting.
Keytab Set only if Kerberos is used and password is not provided.
Knox Gateway Host Set only if using Knox authentication.
Knox Gateway Port Set only if using Knox authentication.
Knox Trust Store Path Set only if using Knox authentication.
Knox Context Path Set only if using Knox authentication.
Knox Trust Store Password Set only if using Knox authentication.
Knox Connection Username Set only if using Knox authentication.
Knox Connection Password Set only if using Knox authentication.

For more information, see Hive Connector and Link Properties.