Connect to Phoenix Query Server through Apache Knox

You can connect to Phoenix Query Server (PQS) using the JDBC thin client through the Apache Knox gateway. Apache Knox requires your thin client connection to be over HTTPS.

Ensure that you have access to Apache Phoenix and Apache HBase, and you have the required permissions configured in Ranger to connect to PQS.

  • Get the PQS Knox endpoint to connect to PQS from the CDP Data Hub user interface. Go to Data Hub cluster > Endpoints > Cloudera Manager Info > Endpoints > Phoenix Query Server.
  • Use the JDBC URL in the following sytax to connect to PQS through the Apache Knox gateway:

    jdbc:phoenix:thin:url=https://[***KNOX ENDPOINT***]:[***PORT***]/[***KNOX TOPOLOGY NAME***]/cdp-proxy-api/avatica/;serialization=PROTOBUF;authentication=BASIC;avatica_user=[***WORKLOAD USERNAME*];avatica_password=[***WORKLOAD PASSWORD***];truststore=[***PATH TO THE KNOX TRUSTSTORE .jks FILE***];truststore_password=[***TRUSTSTORE PASSWORD***]

    The standard Oracle Java JDK distribution includes a default truststore (cacerts) that contains root certificates for many well-known CAs, including Symantec. Rather than using the default truststore, Cloudera recommends using the alternative truststore, jssecacerts. The alternative truststore is created by copying cacerts to that filename (jssecacerts). Certificates can be added to this truststore when needed for additional roles or services. This alternative truststore is loaded by Hadoop daemons at startup. Password (if there is one for the truststore) stored in a plaintext file readable by all (OS filesystem permissions set to 0440). For more information about truststores, see Understanding Keystores and Truststores.