Security
Also available as:
PDF
loading table of contents...

Enable SSL on HiveServer2

When using HiveServer2 without Kerberos authentication, you can enable SSL.

[Note]Note

In order to access SSL enabled HDP Services through the Knox Gateway, additional configuration on the Knox Gateway is required, see Apache Knox Gateway Administrator Guide, Gateway Security, Configure Wire Encryption.

Perform the following steps on the HiveServer2 node:

  1. Log into the cluster as the hive user. Having hive user permissions when creating the Java keystore file sets up the proper user::group ownership, which allows HiveServer to access the file and prevents HiveServer startup failure.

  2. Run the following command to create a keystore for hiveserver2:

    keytool -genkey -alias hbase -keyalg RSA -keysize 1024 -keystore hive.jks
  3. Edit the hive-site.xml, set the following properties to enable SSL:

    <property>
      <name>hive.server2.use.SSL</name>
      <value>true</value>
      <description></description>
    </property>
     
    <property>
      <name>hive.server2.keystore.path</name>
      <value>keystore-file-path</value>
      <description></description>
    </property>
    
    <property>
      <name>hive.server2.keystore.password</name>
      <value>keystore-file-password</value>
      <description></description>
    </property>
  4. [Note]Note

    When hive.server2.transport.mode is binary and hive.server2.authentication is KERBEROS, SSL encryption does not currently work. Set hive.server2.thrift.sasl.qop to auth-conf to enable encryption

    On the client-side, specify SSL settings for Beeline or JDBC client as follows:

    jdbc:hive2://<host>:<port>/<database>;ssl=true;sslTrustStore=<path-to-truststore>;trustStorePassword=<password>