Securing Apache HivePDF version

Enabling SASL in HiveServer

You can provide a Quality of Protection (QOP) that is higher than the cluster-wide default using SASL (Simple Authentication and Security Layer).

HiveServer2 by default uses hadoop.rpc.protection for its QOP value. Setting hadoop.rpc.protection to a higher level than HiveServer (HS2) does not usually make sense. HiveServer ignores hadoop.rpc.protection in favor of hive.server2.thrift.sasl.qop.

You can determine the value of hadoop.rpc.protection: In Cloudera Manager, click Clusters > HDFS > Configuration > Hadoop, and search for hadoop.rpc.protection.

If you want to provide a higher QOP than the default, set one of the SASL Quality of Protection (QOP) levels as shown in the following table:

auth Default. Authentication only.
auth-int Authentication with integrity protection. Signed message digests (checksums) verify the integrity of messages sent between client and server.
auth-conf Authentication with confidentiality (transport-layer encryption) and integrity. Applicable only if HiveServer is configured to use Kerberos authentication.
  1. In Cloudera Manager, navigate to Clusters > Hive > Configuration.
  2. In HiveServer2 Advanced Configuration Snippet (Safety Valve) for hive-site click + to add a property and value.
  3. Specify the QOP auth-conf setting for the SASL QOP property.
    For example,

    Name:hive.server2.thrift.sasl.qop

    Value: auth-conf

  4. Click Save Changes.
  5. Restart the Hive service.
  6. Construct a connection string for encrypting communications using SASL. 
    jdbc:hive2://fqdn.example.com:10000/default;principal=hive/_HOST@EXAMPLE.COM;saslqop=auth-conf
    The _HOST is a wildcard placeholder that gets automatically replaced with the fully qualified domain name (FQDN) of the server running the HiveServer daemon process.

We want your opinion

How can we improve this page?

What kind of feedback do you have?