Uploaded image for project: 'Hive'
  1. Hive
  2. HIVE-15025

Secure-Socket-Layer (SSL) support for HMS

    XMLWordPrintableJSON

    Details

    • Type: Improvement
    • Status: Resolved
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 2.2.0
    • Fix Version/s: 2.3.0
    • Component/s: Metastore
    • Labels:
    • Release Note:
      Hide
      The patch adds the following properties to hive configuration.
      hive.metastore.use.SSL: to enable/disable SSL encryption for the communication between the client and HMS server.
      The following properties are used when hive.metastore.use.SSL is set to true.
      hive.metastore.keystore.path: the keystore file used by HMS server
      hive.metastore.keystore.password: the keystore file password
      hive.metastore.truststore.path: the truststore file used by HS2 server (acting as HMS client to connect to HMS server)
      hive.metastore.truststore.password: the truststore file password

      SSL encryption is only used to encrypt the communication to HMS when no kerberos authentication is enabled for HMS. When SSL is enabled for HMS, HS2 (one of the HMS clients) uses hive.metastore.use.SSL flag to enable SSL on the client side. Other HMS clients are required to support SSL in non-kerberos mode in order to communicate with HMS.
      Show
      The patch adds the following properties to hive configuration. hive.metastore.use.SSL: to enable/disable SSL encryption for the communication between the client and HMS server. The following properties are used when hive.metastore.use.SSL is set to true. hive.metastore.keystore.path: the keystore file used by HMS server hive.metastore.keystore.password: the keystore file password hive.metastore.truststore.path: the truststore file used by HS2 server (acting as HMS client to connect to HMS server) hive.metastore.truststore.password: the truststore file password SSL encryption is only used to encrypt the communication to HMS when no kerberos authentication is enabled for HMS. When SSL is enabled for HMS, HS2 (one of the HMS clients) uses hive.metastore.use.SSL flag to enable SSL on the client side. Other HMS clients are required to support SSL in non-kerberos mode in order to communicate with HMS.

      Description

      HMS server should support SSL encryption. When the server is keberos enabled, the encryption can be enabled. But if keberos is not enabled, then there is no encryption between HS2 and HMS.

      Similar to HS2, we should support encryption in both cases.

        Attachments

        1. HIVE-15025.1.patch
          25 kB
          Aihua Xu
        2. HIVE-15025.2.patch
          27 kB
          Aihua Xu
        3. HIVE-15025.3.patch
          32 kB
          Aihua Xu
        4. HIVE-15025.addendum
          1 kB
          Aihua Xu

          Issue Links

            Activity

              People

              • Assignee:
                aihuaxu Aihua Xu
                Reporter:
                aihuaxu Aihua Xu
              • Votes:
                0 Vote for this issue
                Watchers:
                6 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: