Enable SASL in HiveServer

You can encrypt client-server communications between HiveServer and its clients using SASL (Simple Authentication and Security Layer).

SASL is a framework for authentication and data security and an alternative to a protocol like TLS/SSL. SASL offers three different Quality of Protection (QOP) levels as shown in the following table:

auth Default. Authentication only.
auth-int Authentication with integrity protection. Signed message digests (checksums) verify the integrity of messages sent between client and server.
auth-conf Authentication with confidentiality (transport-layer encryption). Use this setting for encrypted communications from clients to HiveServer.
  1. In Cloudera Manager, navigate to Clusters > HIVE_ON_TEZ-1 > Configuration.
  2. In HiveServer2 Advanced Configuration Snippet (Safety Valve) for hive-site click + to add a property and value.
  3. Specify the QOP auth-conf setting for the SASL QOP property.
    For example,

    Name:hive.server2.thrift.sasl.qop

    Value: auth-conf

  4. Click Save Changes.
  5. Restart the Hive service.
  6. Construct a connection string for encrypting communications using SASL.
    jdbc:hive2://fqdn.example.com:10000/default;principal=hive/_HOST@EXAMPLE.COM;sasl.qop=auth-conf
    The _HOST is a wildcard placeholder that gets automatically replaced with the fully qualified domain name (FQDN) of the server running the HiveServer daemon process.