Enabling SASL in HiveServer

You can provide a Quality of Protection (QOP) that is higher than the cluster-wide default using SASL (Simple Authentication and Security Layer).

HiveServer2 by default uses hadoop.rpc.protection for its QOP value. Setting hadoop.rpc.protection to a higher level than HiveServer (HS2) does not usually make sense. HiveServer ignores hadoop.rpc.protection in favor of hive.server2.thrift.sasl.qop.

You can determine the value of hadoop.rpc.protection: In Cloudera Manager, click Clusters > HDFS > Configuration > Hadoop, and search for hadoop.rpc.protection.

If you want to provide a higher QOP than the default, set one of the SASL Quality of Protection (QOP) levels as shown in the following table:

auth Default. Authentication only.
auth-int Authentication with integrity protection. Signed message digests (checksums) verify the integrity of messages sent between client and server.
auth-conf Authentication with confidentiality (transport-layer encryption) and integrity. Applicable only if HiveServer is configured to use Kerberos authentication.
  1. In Cloudera Manager, navigate to Clusters > Hive > Configuration.
  2. In HiveServer2 Advanced Configuration Snippet (Safety Valve) for hive-site click + to add a property and value.
  3. Specify the QOP auth-conf setting for the SASL QOP property.
    For example,

    Name:hive.server2.thrift.sasl.qop

    Value: auth-conf

  4. Click Save Changes.
  5. Restart the Hive service.
  6. Construct a connection string for encrypting communications using SASL.
    jdbc:hive2://fqdn.example.com:10000/default;principal=hive/_HOST@EXAMPLE.COM;saslqop=auth-conf
    The _HOST is a wildcard placeholder that gets automatically replaced with the fully qualified domain name (FQDN) of the server running the HiveServer daemon process.