2.10 - Hive Target Connector Security Guidelines - Teradata QueryGrid

Teradata® QueryGrid™ Installation and User Guide

prodname
Teradata QueryGrid
vrm_release
2.10
created_date
September 2019
category
Administration
Configuration
Installation
User Guide
featnum
B035-5991-099K

General

When setting parameters for Hive target connectors in NVP link pairings, make sure the setting of the Conf File Paths property has the correct pathname correct value. QueryGrid heavily depends on this setting when processing data transfers. See Hive Connector and Link Properties.

Kerberos

You can set up QueryGrid to use Kerberos authentication with a Hive target connector. It uses two forms of authentication with Kerberos:

Username/Password
The Hive target connector authenticates the username and password against Kerberos before sending the query to the data source.
Username/Keytab
Hive can be configured to enable Kerberos Keytab authentication.
If you are using a Hive target connector in an NVP link pairing to access a Kerberized Hadoop cluster:
  • Select Kerberos for the Authentication Mechanism property.
  • Set to HS2 Only if only the HiveServer2 is secured (for example, LDAP/CUSTOM/PAM). This is not a common setup.
  • Verify that the Teradata QueryGrid (tdqg) user has permission to run kinit. See Verifying Permission to Run kinit.
    When using Kerberos on CDH, you must set the Hive Kerberos Principal NVP to the correct Kerberos Principal for HiveServer2, not the Kerberos principal for the user connecting to HiveServer2. The setting must be in the primaryname/instancename@realmname format.

Knox (HDP Only)

If enabled, Knox is a security option that serves as a gateway service between Hive and HiveServer2 when configured in the the Hive connector properties. The Hive connector connects to the Knox service instead of directly to HiveServer2. Requests from the Hive connector are then sent to the Knox service and Knox then redirects the request to HiveServer2. Refer to Knox and Hortonworks Hadoop (HDP) documentation for how to properly configure Knox.

There is a limitation with Knox when SSL is enabled and Knox is connecting to HiveServer2 using SPNEGO authorization. In this scenario, Knox does not work with Hive.

If using Hortonworks Hadoop database protected by Knox and want the QueryGrid Hive connector to connect through Knox, make sure the following NVP link properties contain the correct values:

Setting Description
Knox Connection Password Password for the Knox connection. Only required when using Knox.
Knox Connection Username Username for the Knox connection. Only required when using Knox.
Knox Context Path Knox context path for HS2, for example, gateway/mycluster/hive. Only required when using Knox.
Knox Gateway Host Knox gateway host. The use of this property indicates that Knox is being used.
Knox Gateway Port Knox gateway port number. Valid port number values are 1024–65535.
Knox Trust Store Path Knox trust store path. Only required when using Knox.
Knox Trust Store Password Knox trust store password. Only required when using Knox.

For more information, see Hive Connector and Link Properties.