Hive can be configured to provide User Authentication, which ensures that only authorized users can communicate with Hive.  Hackolade provides support for basic authentication.  It is planned to provide support for LDAP, Kerberos and SASL, but these protocols are not yet available at this time.


The Hackolade connection settings must match the configuration of the hive-site.xml for the HiveServer2 setup where:

  • HOST is a host name of the machine Hive is running on (e.g. localhost, 0.0.0.0, hive.company.com etc.).
  • MODE is a transport mode for Thrift protocol. It can be “http” or “binary”.
  • According to the mode option, either BINARY_PORT or HTTP_PORT is set up (by default they are 10000 and 10001 accordingly).
  • The authentication parameter must be "none", “nosasl”, "ldap", or "kerberos"
  • HTTP_PATH is the option to define a URI to the hive server (e.g. if HTTP_PATH is hive2 the URI of Hive server will be http://localhost:10001/hive2).


1) Host name and port number

In the connection tab, first give a friendly name to the connection settings.  This name is only used in Hackolade to help manage multiple connections.




Set the host name of the machine the Hive is running (e.g. localhost, 0.0.0.0, hive.example.com etc.)  corresponding to:

<property>

<name>hive.server2.thrift.bind.host</name>

<value>hive.example.com</value>

</property>


If in binary transport mode, the port number must correspond to the port number in:

<property>

<name>hive.server2.thrift.port</name>

<value>10001</value>

</property>



If in http transport mode, the port number must correspond to the port number in:

<property>

<name>hive.server2.thrift.http.port</name>

<value>10001</value>

</property>


2) Authentication type

You may choose between the following protocols:

- None (Plain SASL)

- NoSASL

- LDAP

- Kerberos



3) Transport mode

In the options tab, choose the transport mode, either binary (default) or http.  


<property>

<name>hive.server2.transport.mode</name>

<value>MODE</value>

</property> 




Http transport mode is only available for Plain SASL and NoSASL (i.e.: not for LDAP or Kerberos.)  If the chosen transport mode is http, then the HTTP path must be specified:

<property>

<name>hive.server2.thrift.http.path</name>

<value>hive2</value>

</property>


4) SSL

Hackolade is able to connect to Hive via SSL connection with all of the authentication types: “None (PlainSASL)”, "NoSASL", “LDAP” and “Kerberos”. Hive uses the following configuration in the hive-site.xml file:

<property>

<name>hive.server2.use.SSL</name>

<value>true</value>

</property>

<property>

<name>hive.server2.keystore.path</name>

<value>PATH_TO_JKS_FILE</value>

</property>

<property>

<name>hive.server2.keystore.password</name>

<value>PASSWORD_FOR_JKS_FILE</value>

</property>


In order to connect with Hackolade it is required to use PEM keys. The following instruction shows how to convert JKS (java key store) certificate to PEM:


  1. Install java if you don't have it: https://www.java.com/en/download/
  2. Install openssl: https://wiki.openssl.org/index.php/Binaries
    1. Linux: sudo apt-get install openssl
    2. MacOS: brew install openssl
    3. Windows: https://slproweb.com/products/Win32OpenSSL.html
  3. Generate PKS key

> keytool -importkeystore -srckeystore keystore.jks -destkeystore myapp.p12 -srcalias myapp-dev -srcstoretype jks -deststoretype pkcs12

keystore.jks - it is the java key store file granting access to the cassandra.

myapp.p12 - intermediate PKS key

myapp-dev - alias used by keystore

Run the following command to find out what alias uses keystore:

> keytool -v -list -keystore keystore.jks

alias will be in the section “Alias name”

      4. Generate CA key

> keytool -importkeystore -srckeystore truststore.jks -destkeystore trust.p12 -srcalias myapp-dev -srcstoretype jks -deststoretype pkcs12

      5. Generate .pem key

> openssl pkcs12 -in myapp.p12 -nokeys -out myapp.pem

> openssl pkcs12 -in trust.p12 -nokeys -out ca.pem

> openssl pkcs12 -in myapp.p12 -nodes -nocerts -out myapp.key


      6. Use generated files in Hackolade:

“Certificate Authority”: ca.pem

“Client Certificate”: myapp.pem

“Client Private Key”: myapp.key


More information can be found here.