Listen:
In Hive 0.11 HiveServer2 [2] was introduced, its time to switch from the old Hive CLI to the modern version. Why?
First, security [1]. Hive CLI bypasses the Apache HiveServer2 and calls a MR job directly. This behavior compromises any security projects like Apache Sentry [3]. With HiveServer2 the Kerberos impersonation brings fine granulated security down to HiveSQL. Its possible to enable a strong security layer with Kerberos, Apache Sentry [3] and Apache HDFS ACL [4], like other DWHs have.
Second, HiveServer2 brings connection concurrency to Hive. This allows multiple connections from different users and clients per JDBC (remote and per Beeline) over Thrift.
Third, the Hive CLI command could be deprecated in the future, this is discussed within the Hive Developer Community.
For the first steps a beeline connection can be established per
beeline -u jdbc:hive2://<SERVER>:<PORT>/<DB> -n USERNAME -p PASSWORD
The URI describes the JDBC connection string, followed by the database the user want to query. The same string can be used for remote JDBC connections, too. Additional, the connection parameters are easy to default in a Kerberos enabled environment per .bashrc like
alias hive2='beeline -u jdbc:hive2://HOST:PORT/DB -n $USER'
(The use of hive should be prohibited (per chmod 700, as example) to avoid bypassing HiveServer2.)
All leading distributions have HiveServer2 included, and the use of Beeline is well documented and pretty easy. Cloudera wrote a great Blogpost [5] about a migration from Hive CLI to Beeline, additional client information are available in the Beeline-Wiki [7]. Beeline and HS2 works in a multi-tenant Tez environment [8].
export HADOOP_CLIENT_OPTS="-Djline.terminal=jline.UnsupportedTerminal"
nohup beeline -u jdbc:hive2://<HOST>:<PORT>/DB -n <USER> -p <PASS> -d org.apache.hive.jdbc.HiveDriver -f hql_script &”
First, security [1]. Hive CLI bypasses the Apache HiveServer2 and calls a MR job directly. This behavior compromises any security projects like Apache Sentry [3]. With HiveServer2 the Kerberos impersonation brings fine granulated security down to HiveSQL. Its possible to enable a strong security layer with Kerberos, Apache Sentry [3] and Apache HDFS ACL [4], like other DWHs have.
Second, HiveServer2 brings connection concurrency to Hive. This allows multiple connections from different users and clients per JDBC (remote and per Beeline) over Thrift.
Third, the Hive CLI command could be deprecated in the future, this is discussed within the Hive Developer Community.
For the first steps a beeline connection can be established per
beeline -u jdbc:hive2://<SERVER>:<PORT>/<DB> -n USERNAME -p PASSWORD
The URI describes the JDBC connection string, followed by the database the user want to query. The same string can be used for remote JDBC connections, too. Additional, the connection parameters are easy to default in a Kerberos enabled environment per .bashrc like
alias hive2='beeline -u jdbc:hive2://HOST:PORT/DB -n $USER'
(The use of hive should be prohibited (per chmod 700, as example) to avoid bypassing HiveServer2.)
All leading distributions have HiveServer2 included, and the use of Beeline is well documented and pretty easy. Cloudera wrote a great Blogpost [5] about a migration from Hive CLI to Beeline, additional client information are available in the Beeline-Wiki [7]. Beeline and HS2 works in a multi-tenant Tez environment [8].
Snippets
Use Beeline in background [6]:
export HADOOP_CLIENT_OPTS="-Djline.terminal=jline.UnsupportedTerminal"
nohup beeline -u jdbc:hive2://<HOST>:<PORT>/DB -n <USER> -p <PASS> -d org.apache.hive.jdbc.HiveDriver -f hql_script &”
Query a table per CLI:
beeline -u jdbc:hive2://<HOST>:<PORT>/DB -n <USER> -p <PASS> -e "select count(*) from (select a.sender, a.recipient, b.recipient as c from transactions a join transactions b on a.recipient = b.sender where a.time < b.time and b.time - a.time < 5) i;"
Links:
[1] http://blog.cloudera.com/blog/2013/07/how-hiveserver2-brings-security-and-concurrency-to-apache-hive/
[2] https://issues.apache.org/jira/browse/HIVE-2935
[3] https://blogs.apache.org/sentry/entry/getting_started
[4] http://hortonworks.com/blog/hdfs-acls-fine-grained-permissions-hdfs-files-hadoop/
[5] http://blog.cloudera.com/blog/2014/02/migrating-from-hive-cli-to-beeline-a-primer/
[6] http://goo.gl/s0C0Sj
[7] https://cwiki.apache.org/confluence/display/Hive/HiveServer2+Clients
[8] http://dev.hortonworks.com.s3.amazonaws.com/HDPDocuments/HDP2/HDP-2.1.2/bk_installing_manually_book/content/rpm-chap-tez-configure_hive_for_tez.html
[1] http://blog.cloudera.com/blog/2013/07/how-hiveserver2-brings-security-and-concurrency-to-apache-hive/
[2] https://issues.apache.org/jira/browse/HIVE-2935
[3] https://blogs.apache.org/sentry/entry/getting_started
[4] http://hortonworks.com/blog/hdfs-acls-fine-grained-permissions-hdfs-files-hadoop/
[5] http://blog.cloudera.com/blog/2014/02/migrating-from-hive-cli-to-beeline-a-primer/
[6] http://goo.gl/s0C0Sj
[7] https://cwiki.apache.org/confluence/display/Hive/HiveServer2+Clients
[8] http://dev.hortonworks.com.s3.amazonaws.com/HDPDocuments/HDP2/HDP-2.1.2/bk_installing_manually_book/content/rpm-chap-tez-configure_hive_for_tez.html
Comments
Post a Comment