Hive
  1. Hive
  2. HIVE-4911

Enable QOP configuration for Hive Server 2 thrift transport

    Details

    • Type: New Feature New Feature
    • Status: Closed
    • Priority: Major Major
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: 0.12.0
    • Component/s: None
    • Labels:
      None
    • Release Note:
      Hide
      This patch adds feature to enable enable integrity protection and confidentiality protection ( beyond just the default of authentication), for communication between hive jdbc driver and hive server2 . You can use SASL (http://en.wikipedia.org/wiki/Simple_Authentication_and_Security_Layer) QOP property (http://docs.oracle.com/javase/7/docs/api/javax/security/sasl/Sasl.html#QOP) configure this.

      - This is only when kerberos is used for the HS2 client (jdbc/odbc application) authentication with HS2.
      - hive.server2.thrift.sasl.qop in hive site.xml has to be set to one of valid QOP values ('auth', 'auth-int' or 'auth-conf')
      - specify sasl.qop in hive connection string sessionconf part of your jdbc hive connection string. eg jdbc:hive://hostname/dbname;sasl.qop=auth-int

      This also adds SASL QOP protection for metastore client server communication. You can enable it using hadoop configuration paramter hadoop.rpc.protection.

      Show
      This patch adds feature to enable enable integrity protection and confidentiality protection ( beyond just the default of authentication), for communication between hive jdbc driver and hive server2 . You can use SASL ( http://en.wikipedia.org/wiki/Simple_Authentication_and_Security_Layer ) QOP property ( http://docs.oracle.com/javase/7/docs/api/javax/security/sasl/Sasl.html#QOP ) configure this. - This is only when kerberos is used for the HS2 client (jdbc/odbc application) authentication with HS2. - hive.server2.thrift.sasl.qop in hive site.xml has to be set to one of valid QOP values ('auth', 'auth-int' or 'auth-conf') - specify sasl.qop in hive connection string sessionconf part of your jdbc hive connection string. eg jdbc: hive://hostname/dbname;sasl.qop=auth-int This also adds SASL QOP protection for metastore client server communication. You can enable it using hadoop configuration paramter hadoop.rpc.protection.

      Description

      The QoP for hive server 2 should be configurable to enable encryption. A new configuration should be exposed "hive.server2.thrift.sasl.qop". This would give greater control configuring hive server 2 service.

      1. 20-build-temp-change.patch
        1 kB
        Thejas M Nair
      2. 20-build-temp-change-1.patch
        3 kB
        Arup Malakar
      3. HIVE-4911-trunk-0.patch
        17 kB
        Arup Malakar
      4. HIVE-4911-trunk-1.patch
        24 kB
        Arup Malakar
      5. HIVE-4911-trunk-2.patch
        25 kB
        Arup Malakar
      6. HIVE-4911-trunk-3.patch
        22 kB
        Arup Malakar

        Issue Links

          Activity

          Lefty Leverenz made changes -
          Link This issue is related to HIVE-5120 [ HIVE-5120 ]
          Ashutosh Chauhan made changes -
          Status Resolved [ 5 ] Closed [ 6 ]
          Thejas M Nair made changes -
          Description The QoP for hive server 2 should be configurable to enable encryption. A new configuration should be exposed "hive.server2.thrift.rpc.protection". This would give greater control configuring hive server 2 service. The QoP for hive server 2 should be configurable to enable encryption. A new configuration should be exposed "hive.server2.thrift.sasl.qop". This would give greater control configuring hive server 2 service.
          Thejas M Nair made changes -
          Release Note This patch adds feature to enable enable integrity protection and confidentiality protection ( beyond just the default of authentication), for communication between hive jdbc driver and hive server2 . You can use SASL (http://en.wikipedia.org/wiki/Simple_Authentication_and_Security_Layer) QOP property (http://docs.oracle.com/javase/7/docs/api/javax/security/sasl/Sasl.html#QOP) configure this.

          - This is only when kerberos is used for the HS2 client (jdbc/odbc application) authentication with HS2.
          - hive.server2.thrift.sasl.qop in hive site.xml has to be set to one of valid QOP values ('auth', 'auth-int' or 'auth-conf')
          - specify sasl.qop in hive connection string sessionconf part of your jdbc hive connection string. eg jdbc:hive://hostname/dbname;sasl.qop=auth-int

          This also adds SASL QOP protection for metastore client server communication. You can enable it using hadoop configuration paramter hadoop.rpc.protection.

          Thejas M Nair made changes -
          Link This issue is duplicated by HIVE-4225 [ HIVE-4225 ]
          Ashutosh Chauhan made changes -
          Status Patch Available [ 10002 ] Resolved [ 5 ]
          Fix Version/s 0.12.0 [ 12324312 ]
          Resolution Fixed [ 1 ]
          Arup Malakar made changes -
          Attachment HIVE-4911-trunk-3.patch [ 12596183 ]
          Attachment 20-build-temp-change-1.patch [ 12596184 ]
          Thejas M Nair made changes -
          Attachment 20-build-temp-change.patch [ 12595710 ]
          Arup Malakar made changes -
          Attachment HIVE-4911-trunk-2.patch [ 12595692 ]
          Arup Malakar made changes -
          Attachment HIVE-4911-trunk-1.patch [ 12593976 ]
          Arup Malakar made changes -
          Attachment HIVE-4911-trunk-0.patch [ 12593589 ]
          Arup Malakar made changes -
          Status Open [ 1 ] Patch Available [ 10002 ]
          Arup Malakar made changes -
          Assignee Arup Malakar [ amalakar ]
          Chris Drome made changes -
          Link This issue supercedes HIVE-4225 [ HIVE-4225 ]
          Arup Malakar made changes -
          Field Original Value New Value
          Issue Type Bug [ 1 ] New Feature [ 2 ]
          Arup Malakar created issue -

            People

            • Assignee:
              Arup Malakar
              Reporter:
              Arup Malakar
            • Votes:
              0 Vote for this issue
              Watchers:
              11 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved:

                Development