• KDC服务器配置：

# 安装KDC服务
yum install krb5-server krb5-libs krb5-workstation# 编辑krb5.conf
[realms]EXAMPLE.COM = {kdc = kdc.example.comadmin_server = kdc.example.com}# 创建Kerberos数据库
kdb5_util create -s

• Hive服务Principal创建：

kadmin.local -q "addprinc -randkey hive/hiveserver.example.com@EXAMPLE.COM"
kadmin.local -q "ktadd -k /etc/security/keytabs/hive.service.keytab hive/hiveserver.example.com@EXAMPLE.COM"

1. Hive-site.xml配置：

<property><name>hive.server2.authentication</name><value>KERBEROS</value>
</property>
<property><name>hive.server2.authentication.kerberos.principal</name><value>hive/_HOST@EXAMPLE.COM</value>
</property>
<property><name>hive.server2.authentication.kerberos.keytab</name><value>/etc/security/keytabs/hive.service.keytab</value>
</property>

• 客户端配置：

kinit hiveuser@EXAMPLE.COM
beeline -u "jdbc:hive2://hiveserver.example.com:10000/default;principal=hive/hiveserver.example.com@EXAMPLE.COM"

• 时钟同步问题：Kerberos要求所有节点时间同步(通常偏差不超过5分钟)

# 检查时间同步 
ntpdate -q time.server

• DNS解析问题：确保所有主机名能够正确解析

hostname -f
getent hosts $(hostname -f)

• Keytab文件权限：确保keytab文件权限适当(通常400)

chmod 400 /etc/security/keytabs/hive.service.keytab

• HiveServer2配置：

<property><name>hive.server2.authentication</name><value>LDAP</value>
</property>
<property><name>hive.server2.authentication.ldap.url</name><value>ldap://ldap.example.com:389</value>
</property>
<property><name>hive.server2.authentication.ldap.baseDN</name><value>ou=people,dc=example,dc=com</value>
</property>

• LDAP用户搜索配置：

<property><name>hive.server2.authentication.ldap.userDNPattern</name><value>uid=%s,ou=people,dc=example,dc=com</value>
</property>

• LDAP组映射配置：

<property><name>hive.server2.authentication.ldap.groupFilter</name><value>hive-users</value>
</property>

• 定期同步：设置cron任务定期同步LDAP用户

# 使用ldapsearch获取用户列表
ldapsearch -x -H ldap://ldap.example.com -b "ou=people,dc=example,dc=com" "(objectClass=person)" uid

• 用户组映射：将LDAP组映射到Hive角色

CREATE ROLE ldap_hive_users;
GRANT SELECT ON DATABASE default TO ROLE ldap_hive_users;

• 缓存策略：配置合理的LDAP查询缓存以减少性能开销

<property><name>hive.server2.authentication.ldap.cache.enabled</name><value>true</value>
</property>

• Hive支持类似传统数据库的GRANT/REVOKE语法：

-- 授予用户查询权限
GRANT SELECT ON TABLE sales TO USER analyst;
-- 授予角色权限
CREATE ROLE finance;
GRANT SELECT ON DATABASE financial TO ROLE finance;
GRANT finance TO USER alice;

• Hive可以将权限委托给底层存储系统(HDFS)：

<property><name>hive.security.authorization.createtable.owner.grants</name><value>ALL</value>
</property>

• 列级授权：

GRANT SELECT(empid, dept) ON TABLE employees TO USER hr_staff;

• 行级过滤：

CREATE VIEW sales_east AS 
SELECT * FROM sales WHERE region = 'east';
GRANT SELECT ON sales_east TO USER east_manager;

<property><name>hive.server2.logging.operation.enabled</name><value>true</value>
</property>
<property><name>hive.server2.logging.operation.log.location</name><value>/var/log/hive/operation_logs</value>
</property>

# 查找敏感操作
grep -i "create table" /var/log/hive/operation_logs/*
# 统计用户操作
awk -F'|' '{print $3}' /var/log/hive/operation_logs/* | sort | uniq -c

• Kerberos命令：

kinit -kt /path/to/keytab principal 
# 使用keytab认证 
klist 
# 查看当前票据
kdestroy 
# 销毁票据

• LDAP命令：

ldapsearch -x -H ldap://server -b "dc=example,dc=com" "(uid=user1)"

• Hive权限命令：

SHOW GRANT USER user1 ON TABLE sample_table;
REVOKE SELECT ON DATABASE default FROM ROLE public;