Uploaded image for project: 'Hive'
  1. Hive
  2. HIVE-13044

Enable TLS encryption to HMS backend database

    XMLWordPrintableJSON

Details

    • Improvement
    • Status: Closed
    • Major
    • Resolution: Fixed
    • 2.1.0
    • 2.1.0
    • Metastore
    • Hide
      HIVE-13044 (Enable TLS encryption to HMS backend database) adds a new hive-site.xml propertity hive.metastore.dbaccess.ssl.properties which simplifies the SSL configuration on the HMS side. SSL client configuration can be setup by configuring two hive-site.xml properties javax.jdo.option.ConnectionURL and hive.metastore.dbaccess.ssl.properties.

      javax.jdo.option.ConnectionURL specifies the connection string for HMS to connect to the database. To enable SSL, the client SSL flag(s) or certain protocol need to add to the connection string.

      hive.metastore.dbaccess.ssl.properties When SSL is enabled in the connection string, some SSL properties such as key store location or key store password, need to pass in as the system properties. This configuration allows the user to pass in the list of the necessary SSL properties depending on how the database is configured to secure the connection. e.g., if mutual authentication is needed between the client (HMS) and the server (database), javax.net.ssl.keyStore needs to be specified to authenticate the client against the server as well as javax.net.ssl.trustStore to authenticate the server against the client.
      Show
      HIVE-13044 (Enable TLS encryption to HMS backend database) adds a new hive-site.xml propertity hive.metastore.dbaccess.ssl.properties which simplifies the SSL configuration on the HMS side. SSL client configuration can be setup by configuring two hive-site.xml properties javax.jdo.option.ConnectionURL and hive.metastore.dbaccess.ssl.properties. javax.jdo.option.ConnectionURL specifies the connection string for HMS to connect to the database. To enable SSL, the client SSL flag(s) or certain protocol need to add to the connection string. hive.metastore.dbaccess.ssl.properties When SSL is enabled in the connection string, some SSL properties such as key store location or key store password, need to pass in as the system properties. This configuration allows the user to pass in the list of the necessary SSL properties depending on how the database is configured to secure the connection. e.g., if mutual authentication is needed between the client (HMS) and the server (database), javax.net.ssl.keyStore needs to be specified to authenticate the client against the server as well as javax.net.ssl.trustStore to authenticate the server against the client.

    Description

      When the database like mysql enables TLS/SSL encryption, we should provide some configuration properties like the ones to HS2 to enable that. Right now, I think we can enable that through javaopts and connection url.

      Attachments

        1. HIVE-13044.1.patch
          3 kB
          Aihua Xu
        2. HIVE-13044.2.patch
          3 kB
          Aihua Xu
        3. TLSSSLCommunicationBetweenHMSandDatabases.pdf
          114 kB
          Aihua Xu

        Issue Links

          Activity

            People

              aihuaxu Aihua Xu
              aihuaxu Aihua Xu
              Votes:
              0 Vote for this issue
              Watchers:
              5 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: