Enabling SASL in HiveServer
You can provide a Quality of Protection (QOP) that is higher than the cluster-wide default using SASL (Simple Authentication and Security Layer).
HiveServer2 by default uses
hadoop.rpc.protection for its QOP value.
hadoop.rpc.protection to a higher level than HiveServer
(HS2) does not usually make sense. HiveServer ignores
hadoop.rpc.protection in favor of
You can determine the value of
hadoop.rpc.protection: In Cloudera
Manager, click , and search for
If you want to provide a higher QOP than the default, set one of the SASL Quality of Protection (QOP) levels as shown in the following table:
||Default. Authentication only.|
||Authentication with integrity protection. Signed message digests (checksums) verify the integrity of messages sent between client and server.|
||Authentication with confidentiality (transport-layer encryption) and integrity. Applicable only if HiveServer is configured to use Kerberos authentication.|
- In Cloudera Manager, navigate to .
- In HiveServer2 Advanced Configuration Snippet (Safety Valve) for hive-site click + to add a property and value.
Specify the QOP
auth-confsetting for the SASL QOP property.For example,
- Click Save Changes.
- Restart the Hive service.
Construct a connection string for encrypting communications using SASL.
jdbc:hive2://fqdn.example.com:10000/default;principal=hive/_HOST@EXAMPLE.COM;saslqop=auth-confThe _HOST is a wildcard placeholder that gets automatically replaced with the fully qualified domain name (FQDN) of the server running the HiveServer daemon process.