Configuring Encrypted Communication Between Hive and Client Drivers
This topic describes how to set up encrypted communication between HiveServer2 and its clients. Encrypting Hive communication depends on whether you are using Kerberos authentication for communications between HiveServer2 and JDBC/ODBC client drivers.
With Kerberos Enabled
With Kerberos authentication enabled, traffic between the Hive JDBC or ODBC drivers and HiveServer2 can be encrypted using SASL-QOP which allows you to preserve both data integrity (using checksums to validate message integrity) and confidentiality (by encrypting messages). For instructions, see Configuring Encrypted Client/Server Communication for Kerberos-enabled HiveServer2 Connections.
Without Kerberos Enabled
If you are using any alternate means of authentication, such as LDAP, between HiveServer2 and its clients, you can configure Secure Socket Layer (SSL) communication between them. For instructions, see Configuring Encrypted Client/Server Communication for non-Kerberos HiveServer2 Connections. For more information on configuring SSL truststores and keystores, see TLS/SSL Certificates Overview.
Configuring Encrypted Client/Server Communication for Kerberos-enabled HiveServer2 Connections
<property> <name>hive.server2.thrift.sasl.qop</name> <value>auth-conf</value> <description>Sasl QOP value; one of 'auth', 'auth-int' and 'auth-conf'</description> </property>
- auth: Authentication only (default)
- auth-int: Authentication with integrity protection
- auth-conf: Authentication with confidentiality protection
!connect jdbc:hive2://ip-10-5-15-197.us-west-2.compute.internal:10000/default; \ principal=hive/_HOST@US-WEST-2.COMPUTE.INTERNAL;sasl.qop=auth-conf
Configuring Encrypted Client/Server Communication for non-Kerberos HiveServer2 Connections
You can use either Cloudera Manager or the command-line to enable SSL encryption for non-Kerberized client connections to HiveServer2.
Using Cloudera Manager
- Open the Cloudera Manager Admin Console and go to the Hive service.
- Click the Configuration tab.
- Select .
- Select .
- In the Search field, type SSL to show the Hive SSL properties.
- Edit the following SSL properties according to your cluster configuration.
Hive SSL Properties Property Description Enable TLS/SSL for HiveServer2 Enable support for encrypted client-server communication using Secure Socket Layer (SSL) for HiveServer2 connections. Not applicable for Kerberos-enabled connections. HiveServer2 TLS/SSL Server JKS Keystore File Location Path to the SSL keystore. HiveServer2 TLS/SSL Server JKS Keystore File Password Password for the keystore. - Click Save Changes to commit the changes.
- Restart the Hive service.
Using the Command Line
-
To enable SSL, add the following configuration parameters to hive-site.xml :
<property> <name>hive.server2.use.SSL</name> <value>true</value> <description>enable/disable SSL </description> </property> <property> <name>hive.server2.keystore.path</name> <value>keystore-file-path</value> <description>path to keystore file</description> </property> <property> <name>hive.server2.keystore.password</name> <value>keystore-file-password</value> <description>keystore password</description> </property>
-
The keystore must contain the server's certificate.
-
The JDBC client must add the following properties in the connection URL when connecting to a HiveServer2 using SSL:
;ssl=true[;sslTrustStore=<Trust-Store-Path>;trustStorePassword=<Trust-Store-password>]
-
Make sure one of the following is true:
- Either: sslTrustStore points to the trust store file containing the server's certificate; for example:
jdbc:hive2://localhost:10000/default;ssl=true;\ sslTrustStore=/home/usr1/ssl/trust_store.jks;trustStorePassword=xyz
- or: the Trust Store arguments are set using the Java system properties javax.net.ssl.trustStore and javax.net.ssl.trustStorePassword; for example:
java -Djavax.net.ssl.trustStore=/home/usr1/ssl/trust_store.jks -Djavax.net.ssl.trustStorePassword=xyz \ MyClass jdbc:hive2://localhost:10000/default;ssl=true
- Either: sslTrustStore points to the trust store file containing the server's certificate; for example:
For more information on using self-signed certificates and the Trust Store, see the Oracle Java SE keytool page.