Configuring Encrypted Communication Between Hive and Client Drivers

This topic describes how to set up encrypted communication between HiveServer2 and its clients. Encrypting Hive communication depends on whether you are using Kerberos authentication for communications between HiveServer2 and JDBC/ODBC client drivers.

With Kerberos Enabled

With Kerberos authentication enabled, traffic between the Hive JDBC or ODBC drivers and HiveServer2 can be encrypted using SASL-QOP which allows you to preserve both data integrity (using checksums to validate message integrity) and confidentiality (by encrypting messages). For instructions, see Configuring Encrypted Client/Server Communication for Kerberos-enabled HiveServer2 Connections.

Without Kerberos Enabled

If you are using any alternate means of authentication, such as LDAP, between HiveServer2 and its clients, you can configure Secure Socket Layer (SSL) communication between them. For instructions, see Configuring Encrypted Client/Server Communication for non-Kerberos HiveServer2 Connections. For more information on configuring SSL truststores and keystores, see TLS/SSL Certificates Overview.

Configuring Encrypted Client/Server Communication for Kerberos-enabled HiveServer2 Connections

With Kerberos authentication enabled, traffic between the Hive JDBC or ODBC drivers and HiveServer2 can be encrypted which allows you to preserve data integrity (using checksums to validate message integrity) and confidentiality (by encrypting messages). This can be enabled by setting the hive.server2.thrift.sasl.qop property in hive-site.xml. For example,
<property>
<name>hive.server2.thrift.sasl.qop</name>
<value>auth-conf</value>
<description>Sasl QOP value; one of 'auth', 'auth-int' and 'auth-conf'</description>
</property>
Valid settings for the value field are:
  • auth: Authentication only (default)
  • auth-int: Authentication with integrity protection
  • auth-conf: Authentication with confidentiality protection
The parameter value that you specify above in the HiveServer2 configuration, should match that specified in the Beeline client connection JDBC URL. For example:
!connect jdbc:hive2://ip-10-5-15-197.us-west-2.compute.internal:10000/default;  \
principal=hive/_HOST@US-WEST-2.COMPUTE.INTERNAL;sasl.qop=auth-conf

Configuring Encrypted Client/Server Communication for non-Kerberos HiveServer2 Connections

You can use either Cloudera Manager or the command-line to enable SSL encryption for non-Kerberized client connections to HiveServer2.

Using Cloudera Manager

The steps for configuring and enabling SSL for Hive are as follows:
  1. Open the Cloudera Manager Admin Console and go to the Hive service.
  2. Click the Configuration tab.
  3. Select Scope > Hive (Service-Wide).
  4. Select Category > Security.
  5. In the Search field, type SSL to show the Hive SSL properties.
  6. Edit the following SSL properties according to your cluster configuration.
    Hive SSL Properties
    Property Description
    Enable TLS/SSL for HiveServer2 Enable support for encrypted client-server communication using Secure Socket Layer (SSL) for HiveServer2 connections. Not applicable for Kerberos-enabled connections.
    HiveServer2 TLS/SSL Server JKS Keystore File Location Path to the SSL keystore.
    HiveServer2 TLS/SSL Server JKS Keystore File Password Password for the keystore.
  7. Click Save Changes to commit the changes.
  8. Restart the Hive service.

Using the Command Line

  • To enable SSL, add the following configuration parameters to hive-site.xml :
    <property>
      <name>hive.server2.use.SSL</name>
      <value>true</value>
      <description>enable/disable SSL </description>
    </property>
     
    <property>
      <name>hive.server2.keystore.path</name>
      <value>keystore-file-path</value>
      <description>path to keystore file</description>
    </property>
    
    <property>
      <name>hive.server2.keystore.password</name>
      <value>keystore-file-password</value>
      <description>keystore password</description>
    </property>
  • The keystore must contain the server's certificate.

  • The JDBC client must add the following properties in the connection URL when connecting to a HiveServer2 using SSL:
    ;ssl=true[;sslTrustStore=<Trust-Store-Path>;trustStorePassword=<Trust-Store-password>]
  • Make sure one of the following is true:
    • Either: sslTrustStore points to the trust store file containing the server's certificate; for example:
      jdbc:hive2://localhost:10000/default;ssl=true;\
      sslTrustStore=/home/usr1/ssl/trust_store.jks;trustStorePassword=xyz
      
    • or: the Trust Store arguments are set using the Java system properties javax.net.ssl.trustStore and javax.net.ssl.trustStorePassword; for example:
      java -Djavax.net.ssl.trustStore=/home/usr1/ssl/trust_store.jks -Djavax.net.ssl.trustStorePassword=xyz \
       MyClass jdbc:hive2://localhost:10000/default;ssl=true

For more information on using self-signed certificates and the Trust Store, see the Oracle Java SE keytool page.