As discovered on HADOOP-14333, Hive is using reflection to get a DFSClient for its encryption shim. We should provide proper public APIs for getting this information.
Hive should not use private HDFS APIs for encryption
Shouldn't try to get KeyProvider unless encryption is enabled
New exception thrown by DFSClient#isHDFSEncryptionEnabled broke hacky hive code
Client should always ask namenode for kms provider path.