Enable SSL on HiveServer2
When using HiveServer2 without Kerberos authentication, you can enable SSL.
Note | |
---|---|
In order to access SSL enabled HDP Services through the Knox Gateway, additional configuration on the Knox Gateway is required, see Apache Knox Gateway Administrator Guide, Gateway Security, Configure Wire Encryption. |
Perform the following steps on the HiveServer2:
Log into the cluster as the hive user. Having hive user permissions when creating the Java keystore file sets up the proper user::group ownership, which allows HiveServer to access the file and prevents HiveServer startup failure.
Run the following command to create a keystore for hiveserver2:
keytool -genkey -alias hbase -keyalg RSA -keysize 1024 -keystore hive.jks
Edit the
hive-site.xml
, set the following properties to enable SSL:<property> <name>hive.server2.use.SSL</name> <value>true</value> <description></description> </property> <property> <name>hive.server2.keystore.path</name> <value>keystore-file-path</value> <description></description> </property> <property> <name>hive.server2.keystore.password</name> <value>keystore-file-password</value> <description></description> </property>
Note When hive.server2.transport.mode is binary and hive.server2.authentication is KERBEROS, SSL encryption does not currently work. Set hive.server2.thrift.sasl.qop to auth-conf to enable encryption
On the client-side, specify SSL settings for Beeline or JDBC client as follows:
jdbc:hive2://<host>:<port>/<database>;ssl=true;sslTrustStore=<path-to-truststore>;trustStorePassword=<password>