Engine LDAP Authentication

The Developer Console, as well as the Galactica Hive Engine, can be configured to use LDAP Authentication.

To configure Galactica to use LDAP as an authentication engine, you must use these parameters in the hive-site.xml configuration file

Connection to the LDAP server

<property>
  <name>hive.server2.authentication</name>
  <value>LDAP</value>
</property>
<property>
  <name>hive.server2.authentication.ldap.url</name>
  <value>ldap://<your-ldap-hostname></value>
</property>

XML

User and Group Filter Support with LDAP

User Search list

Indexima supports the User Search List mode available in a Hive server as described here

hive.server2.authentication.ldap.userDNPattern

<property>
  <name>hive.server2.authentication.ldap.userDNPattern</name>
  <value>cn=%s,ou=people,dc=indexima,dc=com</value>
</property>

XML

hive.server2.authentication.ldap.userFilter

This is a comma-separated list of usernames to grant access to. The Atn provider grants access if the user being authenticated is part of this list, and denies access otherwise.

Example:

<property>
  <name>
    hive.server2.authentication.ldap.userFilter
  </name>
  <value>
    hive-admin,hive,hivetest,hive-user
  </value>
</property>

XML

LDAP Groups/ Group Membership

You can use an LDAP construct called a group (groupOfNames or groupOfUniqueNames) to give access to only a few users instead of your whole organizational unit. To do this, you must add the following properties to hive-site.xml configuration file

hive-site.xml

<property>
    <name>hive.server2.authentication.ldap.groupFilter</name>
    <value><GROUP_NAME></value>
</property>
<property>
    <name>hive.server2.authentication.ldap.groupDNPattern</name>
    <value>cn=%s,ou=crews,ou=groups,dc=indexima,dc=org</value>
</property>
<property>
    <name>hive.server2.authentication.ldap.groupClassKey</name>
    <value>groupOfUniqueNames</value>
</property>
<property>
    <name>hive.server2.authentication.ldap.groupMembershipKey</name>
    <value>uniqueMember</value>
</property>

XML

The group DN pattern must be changed accordingly to your own LDAP DN.

The groupClassKey and groupMembershipKey must be changed accordingly to your LDAP Group setup. Accepted values are groupOfUniqueNames and groupOfNames for the class key, and member and uniqueMember for the membership key.

Mode not supported

Indexima does not support the "Custom Query String" mode available in a Hive server as described here