Set up Hive
You need your Hadoop administrator to run these commands.
Configure authentication and permissions for Atlan to connect to your Hive database and extract metadata.
Choose authentication mechanism
Atlan supports the following authentication mechanisms for Hive. Choose one and configure it according to the steps below.
- Basic authentication
- Kerberos authentication
Use basic authentication for development environments or when Kerberos infrastructure isn't available. For production environments, Kerberos authentication is recommended.
Create user
Hive doesn't provide a built-in command to create users. User creation depends on how HiveServer2 is configured (operating system, LDAP, or custom authentication). When HiveServer2 uses OS-level authentication, create a Linux user to connect to Hive:
sudo useradd -m atlan_hive_user
sudo passwd atlan_hive_user
Replace atlan_hive_user with the username for your Atlan connection. For other authentication backends (for example, LDAP), create the user in the appropriate directory or identity store. For details, see Setting up HiveServer2 in the Apache Hive documentation.
Kerberos provides secure, ticket-based authentication for production Hive deployments. Use this method when your Hive cluster is configured with Kerberos security.
Prerequisites
Before configuring Kerberos authentication:
- Your Hive cluster must be configured with Kerberos security enabled
- You need Hadoop administrator privileges to create service principals and generate keytab files
Create Kerberos principal
Create a dedicated user principal for Atlan to authenticate with Hive:
kadmin.local -q "addprinc [email protected]"
- Replace
YOUR.REALMwith your Kerberos realm name (for example,ATLAN.LOCAL) - The principal format is
username@REALM
Generate keytab file
Generate a keytab file for the principal:
kadmin.local -q "xst -k /path/to/atlan_user.keytab [email protected]"
- Replace
/path/to/atlan_user.keytabwith the desired output path - This creates a binary keytab file containing encrypted Kerberos keys
- Keep this file secure—anyone with this file can authenticate without a password
Prepare krb5.conf file
Create or obtain a krb5.conf file that defines your Kerberos realm and key distribution center (KDC) settings. This file is required for Atlan to authenticate using Kerberos. Typically it includes [libdefaults], [realms], and [domain_realm] sections. Use the same krb5.conf that your Hive cluster uses, or create one that points to your organization's KDC. Keep the file secure and upload it when configuring the Hive connector in Atlan.
Test keytab locally
Before uploading to Atlan, verify the keytab works:
kinit -kt /path/to/atlan_user.keytab [email protected]
klist
Verify a valid ticket appears for your principal.
Grant read permission on objects
Grant read permission on objects with the following commands:
GRANT SELECT ON DATABASE <database_name> TO USER <username>;
Atlan requires read permission for all the objects you want to crawl in Hive.
Verify configuration
Before proceeding to crawl metadata:
- Confirm the Hive user has access to the necessary database objects (for example, SELECT on the databases and tables you want to crawl).
- Validate authentication using the keytab file: run
kinit -kt /path/to/your.keytab principal@REALMand then connect to HiveServer2 with a Hive client to confirm the credentials work.
Next steps
Now that you've configured authentication for Hive, you're ready to: