Documentation

gitHub

Connect to a Hive instance

Hive can be configured to provide User Authentication, which ensures that only authorized users can communicate with Hive.  

 

The Hackolade connection settings must match the configuration of the hive-site.xml for the HiveServer2 setup where:

  • HOST is a host name of the machine Hive is running on (e.g. localhost, 0.0.0.0, hive.company.com etc.).
  • According to the mode option, either BINARY_PORT or HTTP_PORT is set up (by default they are 10000 and 10001 accordingly).
  • The authentication parameter must be "none", “nosasl”, "ldap", or "kerberos"
  • MODE is the transport mode for Thrift protocol. It can be “http” or “binary”.
  • HTTP_PATH is the option to define a URI to the hive server (e.g. if HTTP_PATH is hive2 the URI of Hive server will be http://localhost:10001/hive2).

 

Besides proper connection, the application requires, for proper reverse-engineering, that the credentials have sufficient rights to execute these queries:

describe formatted <table>

describe extended <table>

select * from <table> limit 1

 

 

1) Host name and port number

In the connection tab, first give a friendly name to the connection settings.  This name is only used in Hackolade to help manage multiple connections.

 

Image

 

TIP: if you have instances with a very large number of databases, you may wish to declare a particular database directly in the connection string by providing the database name and restrict the scope of discovery.

 

 

Set the host name of the machine the Hive is running (e.g. localhost, 0.0.0.0, hive.example.com etc.)  corresponding to:

<property>

<name>hive.server2.thrift.bind.host</name>

<value>hive.example.com</value>

</property>

 

If in binary transport mode, the port number must correspond to the port number in:

<property>

<name>hive.server2.thrift.port</name>

<value>10001</value>

</property>

 

 

If in http transport mode, the port number must correspond to the port number in:

<property>

<name>hive.server2.thrift.http.port</name>

<value>10001</value>

</property>

 

 

2) Authentication type

You may choose between the following protocols:

- None (Plain SASL)

- NoSASL

- LDAP

- Kerberos

 

 

3) Transport mode

In the options tab, choose the transport mode, either binary (default) or http.  

 

<property>

<name>hive.server2.transport.mode</name>

<value>MODE</value>

</property>  

 

 

Image

 

Http transport mode is available for all transport types (Plain SASL, NoSASL, LDAP or Kerberos.)  If the chosen transport mode is http, then the HTTP path must be specified:

<property>

<name>hive.server2.thrift.http.path</name>

<value>hive2</value>

</property>

 

Image

4) SSL

Hackolade is able to connect to Hive via SSL connection with all of the authentication types: “None (PlainSASL)”, "NoSASL", “LDAP” and “Kerberos”. Hive uses the following configuration in the hive-site.xml file:

<property>

<name>hive.server2.use.SSL</name>

<value>true</value>

</property>

<property>

<name>hive.server2.keystore.path</name>

<value>PATH_TO_JKS_FILE</value>

</property>

<property>

<name>hive.server2.keystore.password</name>

<value>PASSWORD_FOR_JKS_FILE</value>

</property>

 

4a) Using HTTPs

If the certificate is not installed locally, you must get a copy of the certificate(s) and reference them in the Certificate Authority field: 

Image

You may declare multiple certificates, separated by a comma.  

 

Alternatively, you may concatenate the certificates into a single file, and the result should look like this:

-----BEGIN CERTIFICATE-----

-----END CERTIFICATE-----

-----BEGIN CERTIFICATE-----

-----END CERTIFICATE-----

 

 

4b) Accessing the keystore directly

Specify the path and filename to keystore, the access password, and the alias name for the Hive instance.

Image

 

4c) Convert the keystore into PEM keys

 

The following instruction shows how to convert JKS (java key store) certificate to PEM:

 

  1. Install java if you don't have it: https://www.java.com/en/download/
  2. Install openssl: https://wiki.openssl.org/index.php/Binaries
    1. Linux: sudo apt-get install openssl
    2. MacOS: brew install openssl
    3. Windows: https://slproweb.com/products/Win32OpenSSL.html
  3. Find out alias used by keystore

Run the following command to find out what alias is used by keystore:

> keytool -v -list -keystore keystore.jks

where keystore.jks is the java key store file granting access to the cassandra instance

alias will be in the section “Alias name”

  1. Generate PKS key

> keytool -importkeystore -srckeystore keystore.jks -destkeystore myapp.p12 -srcalias myapp-dev -srcstoretype jks -deststoretype pkcs12

keystore.jks - the java key store file granting access to the hive instance

myapp.p12 - intermediate PKS key

myapp-dev - alias used by keystore and determined in step 3 above

      5. Generate CA key

> keytool -importkeystore -srckeystore truststore.jks -destkeystore trust.p12 -srcalias myapp-dev -srcstoretype jks -deststoretype pkcs12

      6. Generate .pem key

> openssl pkcs12 -in myapp.p12 -nokeys -out myapp.pem

> openssl pkcs12 -in trust.p12 -nokeys -out ca.pem

> openssl pkcs12 -in myapp.p12 -nodes -nocerts -out myapp.key

 

      7. Use generated files in Hackolade:

“Certificate Authority”: ca.pem

“Client Certificate”: myapp.pem

“Client Private Key”: myapp.key

 

 

Image

 

More information can be found here.