Hadoop Security Guide
Also available as:
PDF
loading table of contents...

Enable SSL on HiveServer2

When using HiveServer2 without Kerberos authentication, you can enable SSL.

[Note]Note

In order to access SSL enabled HDP Services through the Knox Gateway, additional configuration on the Knox Gateway is required, see Apache Knox Gateway Administrator Guide, Gateway Security, Configure Wire Encryption.

Perform the following steps on the HiveServer2:

  1. Run the following command to create a keystore for hiveserver2::

    keytool -genkey -alias hbase -keyalg RSA -keysize 1024 -keystore hbase.jks
  2. Edit the hive-site.xml, set the following properties to enable SSL:

    <property>
      <name>hive.server2.use.SSL</name>
      <value>true</value>
      <description></description>
    </property>
     
    <property>
      <name>hive.server2.keystore.path</name>
      <value>keystore-file-path</value>
      <description></description>
    </property>
    
    <property>
      <name>hive.server2.keystore.password</name>
      <value>keystore-file-password</value>
      <description></description>
    </property>
  3. [Note]Note

    When hive.server2.transport.mode is binary and hive.server2.authentication is KERBEROS, SSL encryption does not currently work. Set hive.server2.thrift.sasl.qop to auth-conf to enable encryption

    On the client-side, specify SSL settings for Beeline or JDBC client as follows:

    jdbc:hive2://<host>:<port>/<database>;ssl=true;sslTrustStore=<path-to-truststore>;trustStorePassword=<password>