With SSL Encryption
This page explains additional steps for using SSL (Secure Sockets Layer) encryption in Hive on MR3. For simplicity, secure connection to database servers for Metastore and Ranger is not enabled. See SSL Encryption for details.
Certificates and secrets
Create certificates and secrets by following the instructions in Creating certificates and secrets for SSL.
Copy hivemr3-ssl-certificate.jceks and hivemr3-ssl-certificate.jks
in the directories hive/key and ranger/key.
ls hive/key/*{jceks,jks}
hive/key/hivemr3-ssl-certificate.jceks hive/key/hivemr3-ssl-certificate.jks
ls ranger/key/*{jceks,jks}
ranger/key/hivemr3-ssl-certificate.jceks ranger/key/hivemr3-ssl-certificate.jks
hive/values-hive.yaml and ranger/values-ranger.yaml
Update hive/values-hive.yaml and ranger/values-ranger.yaml
to create Secrets from files in the directories hive/key and ranger/key.
vi hive/values-hive.yaml
hive:
createSecret: true
vi ranger/values-ranger.yaml
ranger:
createSecret: true
hive/env-secret.sh
Update hive/env-secret.sh as follows.
vi hive/env-secret.sh
HIVE_SERVER2_SSL_TRUSTSTOREPASS=MySslPassword123
export HADOOP_CREDSTORE_PASSWORD=MySslPassword123
HIVE_SERVER2_SSL_TRUSTSTOREPASSandHADOOP_CREDSTORE_PASSWORDshould be set to the password for KeyStores and TrustStores (specified when creating certificates and secrets).
HADOOP_CREDSTORE_PASSWORD should be appended to the values of the configuration keys mr3.am.launch.env and mr3.container.launch.env
in hive/conf/mr3-site.xml.
vi hive/conf/mr3-site.xml
<name>mr3.am.launch.env</name>
<value>LD_LIBRARY_PATH=$LD_LIBRARY_PATH:/opt/mr3-run/hadoop/apache-hadoop/lib/native,HADOOP_CREDSTORE_PASSWORD,AWS_ACCESS_KEY_ID,AWS_SECRET_ACCESS_KEY,AWS_REGION</value>
</property>
<property>
<name>mr3.container.launch.env</name>
<value>LD_LIBRARY_PATH=/opt/mr3-run/hadoop/apache-hadoop/lib/native,HADOOP_CREDSTORE_PASSWORD,AWS_ACCESS_KEY_ID,AWS_SECRET_ACCESS_KEY,AWS_REGION</value>
</property>
Configuring for SSL Encryption
Follow the instructions in Configuring for SSL Encryption.