Azure HDInsight 中的 Hive 的安全选项Security options for Hive in Azure HDInsight

本文档介绍了 HDInsight 中的 Hive 的推荐安全选项。This document describes the recommended security options for Hive in HDInsight. 这些选项可以通过 Ambari 进行配置。These options can be configured through Ambari.

Security Options for HiveSecurity Options for Hive

HiveServer2 身份验证HiveServer2 authentication

对于标准群集,推荐的 HiveServer2 身份验证设置为默认值“无”。For standard clusters, the recommended setting for HiveServer2 authentication is the default which is none. 若要启用身份验证,我们建议升级到 ESP(企业安全性套餐)群集。To enable authentication, we recommend upgrading to an ESP (Enterprise Security Package) cluster.

对于 ESP 群集,默认启用 Kerberos 身份验证。For ESP clusters, Kerberos authentication is enabled by default. 不支持插入式身份验证模块 (PAM) 和自定义身份验证方案。Pluggable Authentication Modules (PAM) and custom authentication schemes are not supported.

HiveServer2 授权HiveServer2 authorization

对于标准群集,默认设置为“无”。For standard clusters, the default setting is None. 可以启用 SqlStdAuth(基于 SQL 标准的授权)SqlStdAuth (SQL Standards Based Authorization) can be enabled. 标准群集不支持通过 Apache Ranger 进行授权。Authorization through Apache Ranger is not supported for standard clusters. 建议升级到 ESP 群集以进行 Ranger 授权。We recommend upgrading to an ESP cluster for Ranger Authorization.

对于 ESP 群集,默认启用通过 Ranger 授权。For ESP clusters, authorization through Ranger is enabled by default.

HiveServer2 的 SSL 加密SSL Encryption for HiveServer2

不建议为标准群集或 ESP 群集启用 Hiveserver2 SSL。Enabling Hiveserver2 SSL is not recommended for either standard or ESP clusters. 而应在网关上启用 SSL。SSL is enabled on the gateway instead. 可以启用传输中加密,以使用 Internet 协议安全性 (IPSec) 对群集节点之间的通信进行加密。Encryption in transit can be enabled to encrypt communications among the cluster nodes using Internet Protocol Security (IPSec).

后续步骤Next steps