Uploaded image for project: 'Hive'
  1. Hive
  2. HIVE-15025

Secure-Socket-Layer (SSL) support for HMS

    XMLWordPrintableJSON

Details

    • Improvement
    • Status: Resolved
    • Major
    • Resolution: Fixed
    • 2.2.0
    • 2.3.0
    • Metastore
    • Hide
      The patch adds the following properties to hive configuration.
      hive.metastore.use.SSL: to enable/disable SSL encryption for the communication between the client and HMS server.
      The following properties are used when hive.metastore.use.SSL is set to true.
      hive.metastore.keystore.path: the keystore file used by HMS server
      hive.metastore.keystore.password: the keystore file password
      hive.metastore.truststore.path: the truststore file used by HS2 server (acting as HMS client to connect to HMS server)
      hive.metastore.truststore.password: the truststore file password

      SSL encryption is only used to encrypt the communication to HMS when no kerberos authentication is enabled for HMS. When SSL is enabled for HMS, HS2 (one of the HMS clients) uses hive.metastore.use.SSL flag to enable SSL on the client side. Other HMS clients are required to support SSL in non-kerberos mode in order to communicate with HMS.
      Show
      The patch adds the following properties to hive configuration. hive.metastore.use.SSL: to enable/disable SSL encryption for the communication between the client and HMS server. The following properties are used when hive.metastore.use.SSL is set to true. hive.metastore.keystore.path: the keystore file used by HMS server hive.metastore.keystore.password: the keystore file password hive.metastore.truststore.path: the truststore file used by HS2 server (acting as HMS client to connect to HMS server) hive.metastore.truststore.password: the truststore file password SSL encryption is only used to encrypt the communication to HMS when no kerberos authentication is enabled for HMS. When SSL is enabled for HMS, HS2 (one of the HMS clients) uses hive.metastore.use.SSL flag to enable SSL on the client side. Other HMS clients are required to support SSL in non-kerberos mode in order to communicate with HMS.

    Description

      HMS server should support SSL encryption. When the server is keberos enabled, the encryption can be enabled. But if keberos is not enabled, then there is no encryption between HS2 and HMS.

      Similar to HS2, we should support encryption in both cases.

      Attachments

        1. HIVE-15025.1.patch
          25 kB
          Aihua Xu
        2. HIVE-15025.2.patch
          27 kB
          Aihua Xu
        3. HIVE-15025.3.patch
          32 kB
          Aihua Xu
        4. HIVE-15025.addendum
          1 kB
          Aihua Xu

        Issue Links

          is related to

          Improvement - An improvement or enhancement to an existing feature or task. HIVE-27817 Disable ssl hostname verification for 127.0.0.1

          • Major - Major loss of function.
          • Open
          links to

          Web Link Code review

          Activity

            People

              aihuaxu Aihua Xu
              aihuaxu Aihua Xu
              Votes:
              0 Vote for this issue
              Watchers:
              7 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: