• KDC服務器配置：

# 安裝KDC服務
yum install krb5-server krb5-libs krb5-workstation# 編輯krb5.conf
[realms]EXAMPLE.COM = {kdc = kdc.example.comadmin_server = kdc.example.com}# 創建Kerberos數據庫
kdb5_util create -s

• Hive服務Principal創建：

kadmin.local -q "addprinc -randkey hive/hiveserver.example.com@EXAMPLE.COM"
kadmin.local -q "ktadd -k /etc/security/keytabs/hive.service.keytab hive/hiveserver.example.com@EXAMPLE.COM"

1. Hive-site.xml配置：

<property><name>hive.server2.authentication</name><value>KERBEROS</value>
</property>
<property><name>hive.server2.authentication.kerberos.principal</name><value>hive/_HOST@EXAMPLE.COM</value>
</property>
<property><name>hive.server2.authentication.kerberos.keytab</name><value>/etc/security/keytabs/hive.service.keytab</value>
</property>

• 客戶端配置：

kinit hiveuser@EXAMPLE.COM
beeline -u "jdbc:hive2://hiveserver.example.com:10000/default;principal=hive/hiveserver.example.com@EXAMPLE.COM"

• 時鐘同步問題：Kerberos要求所有節點時間同步(通常偏差不超過5分鐘)

# 檢查時間同步 
ntpdate -q time.server

• DNS解析問題：確保所有主機名能夠正確解析

hostname -f
getent hosts $(hostname -f)

• Keytab文件權限：確保keytab文件權限適當(通常400)

chmod 400 /etc/security/keytabs/hive.service.keytab

• HiveServer2配置：

<property><name>hive.server2.authentication</name><value>LDAP</value>
</property>
<property><name>hive.server2.authentication.ldap.url</name><value>ldap://ldap.example.com:389</value>
</property>
<property><name>hive.server2.authentication.ldap.baseDN</name><value>ou=people,dc=example,dc=com</value>
</property>

• LDAP用戶搜索配置：

<property><name>hive.server2.authentication.ldap.userDNPattern</name><value>uid=%s,ou=people,dc=example,dc=com</value>
</property>

• LDAP組映射配置：

<property><name>hive.server2.authentication.ldap.groupFilter</name><value>hive-users</value>
</property>

• 定期同步：設置cron任務定期同步LDAP用戶

# 使用ldapsearch獲取用戶列表
ldapsearch -x -H ldap://ldap.example.com -b "ou=people,dc=example,dc=com" "(objectClass=person)" uid

• 用戶組映射：將LDAP組映射到Hive角色

CREATE ROLE ldap_hive_users;
GRANT SELECT ON DATABASE default TO ROLE ldap_hive_users;

• 緩存策略：配置合理的LDAP查詢緩存以減少性能開銷

<property><name>hive.server2.authentication.ldap.cache.enabled</name><value>true</value>
</property>

• Hive支持類似傳統數據庫的GRANT/REVOKE語法：

-- 授予用戶查詢權限
GRANT SELECT ON TABLE sales TO USER analyst;
-- 授予角色權限
CREATE ROLE finance;
GRANT SELECT ON DATABASE financial TO ROLE finance;
GRANT finance TO USER alice;

• Hive可以將權限委托給底層存儲系統(HDFS)：

<property><name>hive.security.authorization.createtable.owner.grants</name><value>ALL</value>
</property>

• 列級授權：

GRANT SELECT(empid, dept) ON TABLE employees TO USER hr_staff;

• 行級過濾：

CREATE VIEW sales_east AS 
SELECT * FROM sales WHERE region = 'east';
GRANT SELECT ON sales_east TO USER east_manager;

<property><name>hive.server2.logging.operation.enabled</name><value>true</value>
</property>
<property><name>hive.server2.logging.operation.log.location</name><value>/var/log/hive/operation_logs</value>
</property>

# 查找敏感操作
grep -i "create table" /var/log/hive/operation_logs/*
# 統計用戶操作
awk -F'|' '{print $3}' /var/log/hive/operation_logs/* | sort | uniq -c

• Kerberos命令：

kinit -kt /path/to/keytab principal 
# 使用keytab認證 
klist 
# 查看當前票據
kdestroy 
# 銷毀票據

• LDAP命令：

ldapsearch -x -H ldap://server -b "dc=example,dc=com" "(uid=user1)"

• Hive權限命令：

SHOW GRANT USER user1 ON TABLE sample_table;
REVOKE SELECT ON DATABASE default FROM ROLE public;