Uploaded image for project: 'Hive'
  1. Hive
  2. HIVE-4911

Enable QOP configuration for Hive Server 2 thrift transport

    XMLWordPrintableJSON

Details

    • New Feature
    • Status: Closed
    • Major
    • Resolution: Fixed
    • None
    • 0.12.0
    • None
    • None
    • Hide
      This patch adds feature to enable enable integrity protection and confidentiality protection ( beyond just the default of authentication), for communication between hive jdbc driver and hive server2 . You can use SASL (http://en.wikipedia.org/wiki/Simple_Authentication_and_Security_Layer) QOP property (http://docs.oracle.com/javase/7/docs/api/javax/security/sasl/Sasl.html#QOP) configure this.

      - This is only when kerberos is used for the HS2 client (jdbc/odbc application) authentication with HS2.
      - hive.server2.thrift.sasl.qop in hive site.xml has to be set to one of valid QOP values ('auth', 'auth-int' or 'auth-conf')
      - specify sasl.qop in hive connection string sessionconf part of your jdbc hive connection string. eg jdbc:hive://hostname/dbname;sasl.qop=auth-int

      This also adds SASL QOP protection for metastore client server communication. You can enable it using hadoop configuration paramter hadoop.rpc.protection.

      Show
      This patch adds feature to enable enable integrity protection and confidentiality protection ( beyond just the default of authentication), for communication between hive jdbc driver and hive server2 . You can use SASL ( http://en.wikipedia.org/wiki/Simple_Authentication_and_Security_Layer ) QOP property ( http://docs.oracle.com/javase/7/docs/api/javax/security/sasl/Sasl.html#QOP ) configure this. - This is only when kerberos is used for the HS2 client (jdbc/odbc application) authentication with HS2. - hive.server2.thrift.sasl.qop in hive site.xml has to be set to one of valid QOP values ('auth', 'auth-int' or 'auth-conf') - specify sasl.qop in hive connection string sessionconf part of your jdbc hive connection string. eg jdbc: hive://hostname/dbname;sasl.qop=auth-int This also adds SASL QOP protection for metastore client server communication. You can enable it using hadoop configuration paramter hadoop.rpc.protection.

    Description

      The QoP for hive server 2 should be configurable to enable encryption. A new configuration should be exposed "hive.server2.thrift.sasl.qop". This would give greater control configuring hive server 2 service.

      Attachments

        1. 20-build-temp-change.patch
          1 kB
          Thejas Nair
        2. 20-build-temp-change-1.patch
          3 kB
          Arup Malakar
        3. HIVE-4911-trunk-0.patch
          17 kB
          Arup Malakar
        4. HIVE-4911-trunk-1.patch
          24 kB
          Arup Malakar
        5. HIVE-4911-trunk-2.patch
          25 kB
          Arup Malakar
        6. HIVE-4911-trunk-3.patch
          22 kB
          Arup Malakar

        Issue Links

          is duplicated by

          Bug - A problem which impairs or prevents the functions of the product. HIVE-4225 HiveServer2 does not support SASL QOP

          • Major - Major loss of function.
          • Resolved
          is related to

          Bug - A problem which impairs or prevents the functions of the product. HIVE-5120 document what hive.server2.thrift.sasl.qop values mean in hive-default.xml.template

          • Major - Major loss of function.
          • Closed
          supercedes

          Bug - A problem which impairs or prevents the functions of the product. HIVE-4225 HiveServer2 does not support SASL QOP

          • Major - Major loss of function.
          • Resolved

          Activity

            People

              amalakar Arup Malakar
              amalakar Arup Malakar
              Votes:
              0 Vote for this issue
              Watchers:
              12 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: