Securing an endpoint under AutoTLS
The default cluster configuration for HiveServer (HS2) with AutoTLS secures the HS2 WebUI Port, but not the JDBC/ODBC endpoint.
Assumptions:
- Auto-TLS Self-signed Certificates.
- Proper CA Root certs eliminate the need for any of the following truststore actions.
When HS2 TLS is enabled hive.server2.use.SSL=true
, the
auto-connect feature on gateway servers is not supported. The auto-connect feature
uses /etc/hive/conf/beeline-site.xml to automatically connect to Cloudera Manager
controlled HS2 services. Also, with hive.server2.use.SSL=true, ZooKeeper discovery
mode is not supported because the HS2 reference stored in ZooKeeper does not include
the ssl=true and other TLS truststore references (self-signed) needed to connect
with TLS.
The beeline-site.xml file managed for gateways doesn't not include ssl=true or a reference to a truststore that includes a CA for the self-signed TLS certificate used by ZooKeeper or HiveServer.
The best practice, under the default configuration, is to have all external clients connect to Hive (JDBC/ODBC) through the Apache Knox proxy. With TLS enabled via Auto-TLS with a self-signed cert, you can use the jks file downloaded from Knox as the client trusted CA for the Knox host. That cert will only work for KNOX. And since KNOX and HS2 TLS server certs are from the same CA, Knox connects without adjustments.
To connect through Knox: