Enable SASL in HiveServer

You can provide a Quality of Protection (QOP) that is higher than the cluster-wide default using SASL (Simple Authentication and Security Layer).

HiveServer2 by default uses hadoop.rpc.protection for its QOP value. Setting hadoop.rpc.protection to a higher level than HiveServer (HS2) does not usually make sense. HiveServer ignores hadoop.rpc.protection in favor of hive.server2.thrift.sasl.qop.

You can determine the value of hadoop.rpc.protection: In Cloudera Manager, click Clusters > HDFS > Configuration > Hadoop, and search for hadoop.rpc.protection.

If you want to provide a higher QOP than the default, set one of the SASL Quality of Protection (QOP) levels as shown in the following table:


`auth`	Default. Authentication only.
`auth-int`	Authentication with integrity protection. Signed message digests (checksums) verify the integrity of messages sent between client and server.
`auth-conf`	Authentication with confidentiality (transport-layer encryption) and integrity. Applicable only if HiveServer is configured to use Kerberos authentication.

In Cloudera Manager, navigate to Clusters > Hive > Configuration.
In HiveServer2 Advanced Configuration Snippet (Safety Valve) for hive-site click + to add a property and value.
Specify the QOP auth-conf setting for the SASL QOP property.
For example,
Name:hive.server2.thrift.sasl.qop
Value: auth-conf
Click Save Changes.
Restart the Hive service.
Construct a connection string for encrypting communications using SASL.
```
jdbc:hive2://fqdn.example.com:10000/default;principal=hive/_HOST@EXAMPLE.COM;saslqop=auth-conf
```
The _HOST is a wildcard placeholder that gets automatically replaced with the fully qualified domain name (FQDN) of the server running the HiveServer daemon process.