Uploaded image for project: 'Hive'
  1. Hive
  2. HIVE-4911

Enable QOP configuration for Hive Server 2 thrift transport

Log workAgile BoardRank to TopRank to BottomBulk Copy AttachmentsBulk Move AttachmentsVotersWatch issueWatchersCreate sub-taskConvert to sub-taskMoveLinkCloneLabelsUpdate Comment AuthorReplace String in CommentUpdate Comment VisibilityDelete Comments
    XMLWordPrintableJSON

Details

    • New Feature
    • Status: Closed
    • Major
    • Resolution: Fixed
    • None
    • 0.12.0
    • None
    • None
    • Hide
      This patch adds feature to enable enable integrity protection and confidentiality protection ( beyond just the default of authentication), for communication between hive jdbc driver and hive server2 . You can use SASL (http://en.wikipedia.org/wiki/Simple_Authentication_and_Security_Layer) QOP property (http://docs.oracle.com/javase/7/docs/api/javax/security/sasl/Sasl.html#QOP) configure this.

      - This is only when kerberos is used for the HS2 client (jdbc/odbc application) authentication with HS2.
      - hive.server2.thrift.sasl.qop in hive site.xml has to be set to one of valid QOP values ('auth', 'auth-int' or 'auth-conf')
      - specify sasl.qop in hive connection string sessionconf part of your jdbc hive connection string. eg jdbc:hive://hostname/dbname;sasl.qop=auth-int

      This also adds SASL QOP protection for metastore client server communication. You can enable it using hadoop configuration paramter hadoop.rpc.protection.

      Show
      This patch adds feature to enable enable integrity protection and confidentiality protection ( beyond just the default of authentication), for communication between hive jdbc driver and hive server2 . You can use SASL ( http://en.wikipedia.org/wiki/Simple_Authentication_and_Security_Layer ) QOP property ( http://docs.oracle.com/javase/7/docs/api/javax/security/sasl/Sasl.html#QOP ) configure this. - This is only when kerberos is used for the HS2 client (jdbc/odbc application) authentication with HS2. - hive.server2.thrift.sasl.qop in hive site.xml has to be set to one of valid QOP values ('auth', 'auth-int' or 'auth-conf') - specify sasl.qop in hive connection string sessionconf part of your jdbc hive connection string. eg jdbc: hive://hostname/dbname;sasl.qop=auth-int This also adds SASL QOP protection for metastore client server communication. You can enable it using hadoop configuration paramter hadoop.rpc.protection.

    Description

      The QoP for hive server 2 should be configurable to enable encryption. A new configuration should be exposed "hive.server2.thrift.sasl.qop". This would give greater control configuring hive server 2 service.

      Attachments

        1. HIVE-4911-trunk-3.patch
          22 kB
          Arup Malakar
        2. HIVE-4911-trunk-2.patch
          25 kB
          Arup Malakar
        3. HIVE-4911-trunk-1.patch
          24 kB
          Arup Malakar
        4. HIVE-4911-trunk-0.patch
          17 kB
          Arup Malakar
        5. 20-build-temp-change-1.patch
          3 kB
          Arup Malakar
        6. 20-build-temp-change.patch
          1 kB
          Thejas Nair

        Issue Links

        Activity

          This comment will be Viewable by All Users Viewable by All Users
          Cancel

          People

            amalakar Arup Malakar Assign to me
            amalakar Arup Malakar
            Votes:
            0 Vote for this issue
            Watchers:
            12 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved:

              Slack

                Issue deployment