This is documentation for MapR Version 5.0. You can also refer to MapR documentation for the latest release.

Skip to end of metadata
Go to start of metadata

When you configure encryption, the thrift messages sent between the Hive Metastore, HiveServer 2, and HiveServer2 clients are encrypted.

Encryption is supported when HiveServer2 has no authentication or when it is configured to use MapR-SASL or Kerberos authentication. 

This page contains the following topics:

Configuring Encryption with MapR-SASL or Kerberos Authentication

Complete the following steps on each node where HiveServer2 is installed:

  1. In hive-site.xml, set the following property:

    PropertyValue
    hive.server2.thrift.sasl.qop

    auth-conf

    Icon
    As of Hive 0.13-1504 and Hive 1.0-1504, hive.server2.thrift.sasl.qop is set to auth-conf by default on secure clusters.
  2. Restart HiveServer2 to apply these changes. 

Configuring Encryption without Authentication

Complete the following steps on each node where HiveServer2 is installed:

  1. In hive-site.xml, set the following properties:

    PropertyValue
    hive.server2.use.SSLtrue
    hive.server2.ssl.keystore<path to keystore file>
    hive.server2.ssl.keystore.password

    <password>

    Icon

    If you specify the password in the hive-site.xml file, protect the file with the appropriate file permissions. HiveServer2 automatically prompts for the keystore password during startup when no password is stored in the hive-site.xml file.

  2. Restart HiveServer2 to apply these changes. 

Configuring HiveServer2 Clients to Connect to HiveServer2 with Encryption

Based on the encryption method, the requirements for clients to connect to HiveServer2 differ. 

  • When HiveServer2 uses encryption with MapR-SASL or Kerberos authentication, the client must specify the same sasl qop value that is set for HiveServer2 (auth-conf is the default, recommended option).
  • When HiveServer2 uses SSL encryption without authentication, the client must specify a truststore.  The ssl_truststore file must be copied from the cluster to the client. Specifying a truststore password is optional.

For details, see Connecting to Hive.

 

 

  • No labels