Hive can be configured to provide User Authentication, which ensures that only authorized users can communicate with Hive.  


The Hackolade connection settings must match the configuration of the hive-site.xml for the HiveServer2 setup where:

  • HOST is a host name of the machine Hive is running on (e.g. localhost, 0.0.0.0, hive.company.com etc.).
  • According to the mode option, either BINARY_PORT or HTTP_PORT is set up (by default they are 10000 and 10001 accordingly).
  • The authentication parameter must be "none", “nosasl”, "ldap", or "kerberos"
  • MODE is the transport mode for Thrift protocol. It can be “http” or “binary”.
  • HTTP_PATH is the option to define a URI to the hive server (e.g. if HTTP_PATH is hive2 the URI of Hive server will be http://localhost:10001/hive2).


1) Host name and port number

In the connection tab, first give a friendly name to the connection settings.  This name is only used in Hackolade to help manage multiple connections.



Set the host name of the machine the Hive is running (e.g. localhost, 0.0.0.0, hive.example.com etc.)  corresponding to:

<property>

<name>hive.server2.thrift.bind.host</name>

<value>hive.example.com</value>

</property>


If in binary transport mode, the port number must correspond to the port number in:

<property>

<name>hive.server2.thrift.port</name>

<value>10001</value>

</property>



If in http transport mode, the port number must correspond to the port number in:

<property>

<name>hive.server2.thrift.http.port</name>

<value>10001</value>

</property>


2) Authentication type

You may choose between the following protocols:

- None (Plain SASL)

- NoSASL

- LDAP

- Kerberos



3) Transport mode

In the options tab, choose the transport mode, either binary (default) or http.  


<property>

<name>hive.server2.transport.mode</name>

<value>MODE</value>

</property> 




Http transport mode is available for all transport types (Plain SASL, NoSASL, LDAP or Kerberos.)  If the chosen transport mode is http, then the HTTP path must be specified:

<property>

<name>hive.server2.thrift.http.path</name>

<value>hive2</value>

</property>


4) SSL

Hackolade is able to connect to Hive via SSL connection with all of the authentication types: “None (PlainSASL)”, "NoSASL", “LDAP” and “Kerberos”. Hive uses the following configuration in the hive-site.xml file:

<property>

<name>hive.server2.use.SSL</name>

<value>true</value>

</property>

<property>

<name>hive.server2.keystore.path</name>

<value>PATH_TO_JKS_FILE</value>

</property>

<property>

<name>hive.server2.keystore.password</name>

<value>PASSWORD_FOR_JKS_FILE</value>

</property>


4a) Accessing the keystore directly

Specify the path and filename to keystore, the access password, and the alias name for the Hive instance.


4b) Convert the keystore into PEM keys.


The following instruction shows how to convert JKS (java key store) certificate to PEM:


  1. Install java if you don't have it: https://www.java.com/en/download/
  2. Install openssl: https://wiki.openssl.org/index.php/Binaries
    1. Linux: sudo apt-get install openssl
    2. MacOS: brew install openssl
    3. Windows: https://slproweb.com/products/Win32OpenSSL.html
  3. Find out alias used by keystore

Run the following command to find out what alias is used by keystore:

> keytool -v -list -keystore keystore.jks

where keystore.jks is the java key store file granting access to the cassandra instance

alias will be in the section “Alias name”

  1. Generate PKS key

> keytool -importkeystore -srckeystore keystore.jks -destkeystore myapp.p12 -srcalias myapp-dev -srcstoretype jks -deststoretype pkcs12

keystore.jks - the java key store file granting access to the hive instance

myapp.p12 - intermediate PKS key

myapp-dev - alias used by keystore and determined in step 3 above

      5. Generate CA key

> keytool -importkeystore -srckeystore truststore.jks -destkeystore trust.p12 -srcalias myapp-dev -srcstoretype jks -deststoretype pkcs12

      6. Generate .pem key

> openssl pkcs12 -in myapp.p12 -nokeys -out myapp.pem

> openssl pkcs12 -in trust.p12 -nokeys -out ca.pem

> openssl pkcs12 -in myapp.p12 -nodes -nocerts -out myapp.key


      7. Use generated files in Hackolade:

“Certificate Authority”: ca.pem

“Client Certificate”: myapp.pem

“Client Private Key”: myapp.key




More information can be found here.