Configuring Encrypted Communication Between HiveServer2 and Client Drivers
Starting with CDH 5.5, encryption for HiveServer2 clients has been decoupled from the authentication mechanism. This means you can use either SASL QOP or TLS/SSL to encrypt traffic between HiveServer2 and its clients, irrespective of whether Kerberos is being used for authentication. Previously, the JDBC client drivers only supported SASL QOP encryption on Kerberos-authenticated connections.
SASL QOP encryption is better suited for encrypting RPC communication and may result in performance issues when dealing with large amounts of data. Move to using TLS/SSL encryption to avoid such issues.
This topic describes how to set up encrypted communication between HiveServer2 and its JDBC/ODBC client drivers.
Configuring Encrypted Client/Server Communication Using TLS/SSL
You can use either the Cloudera Manager or the command-line instructions described below to enable TLS/SSL encryption for JDBC/ODBC client connections to HiveServer2. For background information on setting up TLS/SSL truststores and keystores, see TLS/SSL Overview.
Using Cloudera Manager
- Open the Cloudera Manager Admin Console and go to the Hive service.
- Click the Configuration tab.
- Select .
- Select .
- In the Search field, type TLS/SSL to show the Hive properties.
- Edit the following properties according to your cluster configuration.
Hive TLS/SSL Properties Property Description Enable TLS/SSL for HiveServer2 Enable support for encrypted client-server communication using Transport Layer Security (TLS) for HiveServer2 connections. HiveServer2 TLS/SSL Server JKS Keystore File Location Path to the TLS keystore. HiveServer2 TLS/SSL Server JKS Keystore File Password Password for the TLS keystore. - Click Save Changes to commit the changes.
- Restart the Hive service.
Using the Command Line
-
To enable TLS/SSL, add the following configuration parameters to hive-site.xml :
<property> <name>hive.server2.use.SSL</name> <value>true</value> <description>enable/disable SSL </description> </property> <property> <name>hive.server2.keystore.path</name> <value>keystore-file-path</value> <description>path to keystore file</description> </property> <property> <name>hive.server2.keystore.password</name> <value>keystore-file-password</value> <description>keystore password</description> </property>
-
The keystore must contain the server's certificate.
-
The JDBC client must add the following properties in the connection URL when connecting to a HiveServer2 using TLS/SSL:
;ssl=true[;sslTrustStore=<Trust-Store-Path>;trustStorePassword=<Trust-Store-password>]
-
Make sure one of the following is true:
- Either: sslTrustStore points to the truststore file containing the server's certificate; for example:
jdbc:hive2://localhost:10000/default;ssl=true;\ sslTrustStore=/home/usr1/ssl/trust_store.jks;trustStorePassword=xyz
- or: the Trust Store arguments are set using the Java system properties javax.net.ssl.trustStore and javax.net.ssl.trustStorePassword; for example:
java -Djavax.net.ssl.trustStore=/home/usr1/ssl/trust_store.jks -Djavax.net.ssl.trustStorePassword=xyz \ MyClass jdbc:hive2://localhost:10000/default;ssl=true
- Either: sslTrustStore points to the truststore file containing the server's certificate; for example:
For more information on using self-signed certificates and the Trust Store, see the Oracle Java SE keytool page.
Configuring Encrypted Client/Server Communication Using SASL QOP
<property> <name>hive.server2.thrift.sasl.qop</name> <value>auth-conf</value> <description>Sasl QOP value; one of 'auth', 'auth-int' and 'auth-conf'</description> </property>
- auth: Authentication only (default)
- auth-int: Authentication with integrity protection
- auth-conf: Authentication with confidentiality protection
!connect jdbc:hive2://ip-10-5-15-197.us-west-2.compute.internal:10000/default; \ principal=hive/_HOST@US-WEST-2.COMPUTE.INTERNAL;sasl.qop=auth-conf