Configuring Encrypted Communication Between HiveServer2 and Client Drivers

Starting with CDH 5.5, encryption for HiveServer2 clients has been decoupled from the authentication mechanism. This means you can use either SASL QOP or TLS/SSL to encrypt traffic between HiveServer2 and its clients, irrespective of whether Kerberos is being used for authentication. Previously, the JDBC client drivers only supported SASL QOP encryption on Kerberos-authenticated connections.

SASL QOP encryption is better suited for encrypting RPC communication and may result in performance issues when dealing with large amounts of data. Move to using TLS/SSL encryption to avoid such issues.

This topic describes how to set up encrypted communication between HiveServer2 and its JDBC/ODBC client drivers.

Configuring Encrypted Client/Server Communication Using TLS/SSL

You can use either the Cloudera Manager or the command-line instructions described below to enable TLS/SSL encryption for JDBC/ODBC client connections to HiveServer2. For background information on setting up TLS/SSL truststores and keystores, see Data in Transit Encryption (TLS/SSL).

Using Cloudera Manager

The steps for configuring and enabling TLS/SSL for Hive are as follows:
  1. Open the Cloudera Manager Admin Console and go to the Hive service.
  2. Click the Configuration tab.
  3. Select Scope > Hive (Service-Wide).
  4. Select Category > Security.
  5. In the Search field, type TLS/SSL to show the Hive properties.
  6. Edit the following properties according to your cluster configuration.
    Hive TLS/SSL Properties
    Property Description
    Enable TLS/SSL for HiveServer2 Enable support for encrypted client-server communication using Transport Layer Security (TLS) for HiveServer2 connections.
    HiveServer2 TLS/SSL Server JKS Keystore File Location Path to the TLS keystore.
    HiveServer2 TLS/SSL Server JKS Keystore File Password Password for the TLS keystore.
  7. Click Save Changes to commit the changes.
  8. Restart the Hive service.

Using the Command Line

  • To enable TLS/SSL, add the following configuration parameters to hive-site.xml :
    <property>
      <name>hive.server2.use.SSL</name>
      <value>true</value>
      <description>enable/disable SSL </description>
    </property>
     
    <property>
      <name>hive.server2.keystore.path</name>
      <value>keystore-file-path</value>
      <description>path to keystore file</description>
    </property>
    
    <property>
      <name>hive.server2.keystore.password</name>
      <value>keystore-file-password</value>
      <description>keystore password</description>
    </property>
  • The keystore must contain the server's certificate.

  • The JDBC client must add the following properties in the connection URL when connecting to a HiveServer2 using TLS/SSL:
    ;ssl=true[;sslTrustStore=<Trust-Store-Path>;trustStorePassword=<Trust-Store-password>]
  • Make sure one of the following is true:
    • Either: sslTrustStore points to the truststore file containing the server's certificate; for example:
      jdbc:hive2://localhost:10000/default;ssl=true;\
      sslTrustStore=/home/usr1/ssl/trust_store.jks;trustStorePassword=xyz
      
    • or: the Trust Store arguments are set using the Java system properties javax.net.ssl.trustStore and javax.net.ssl.trustStorePassword; for example:
      java -Djavax.net.ssl.trustStore=/home/usr1/ssl/trust_store.jks -Djavax.net.ssl.trustStorePassword=xyz \
       MyClass jdbc:hive2://localhost:10000/default;ssl=true

For more information on using self-signed certificates and the Trust Store, see the Oracle Java SE keytool page.

Configuring Encrypted Client/Server Communication Using SASL QOP

Traffic between the Hive JDBC or ODBC drivers and HiveServer2 can be encrypted using plain SASL QOP encryption which allows you to preserve data integrity (using checksums to validate message integrity) and confidentiality (by encrypting messages). This can be enabled by setting the hive.server2.thrift.sasl.qop property in hive-site.xml. For example,
<property>
<name>hive.server2.thrift.sasl.qop</name>
<value>auth-conf</value>
<description>Sasl QOP value; one of 'auth', 'auth-int' and 'auth-conf'</description>
</property>
Valid settings for the value field are:
  • auth: Authentication only (default)
  • auth-int: Authentication with integrity protection
  • auth-conf: Authentication with confidentiality protection
The parameter value that you specify above in the HiveServer2 configuration, should match that specified in the Beeline client connection JDBC URL. For example:
!connect jdbc:hive2://ip-10-5-15-197.us-west-2.compute.internal:10000/default;  \
principal=hive/_HOST@US-WEST-2.COMPUTE.INTERNAL;sasl.qop=auth-conf