With SSL Encryption |

This page explains additional steps for using SSL (Secure Sockets Layer) encryption in Hive on MR3.

For simplicity, secure shuffle is not enabled. See Using the MR3 Shuffle Handler for details.
For simplicity, secure connection to database servers for Metastore and Ranger is not enabled. See Enabling SSL for details.

In order to run Ranger 2.1 with SSL, Kerberos should be used for authentication.

Certificates and secrets

Create certificates and secrets by following the instruction in Creating certificates and secrets for SSL.

Copy hivemr3-ssl-certificate.jceks and hivemr3-ssl-certificate.jks in the directories key,ranger-key, and timeline-key.

$ ls key/*{jceks,jks}
key/hivemr3-ssl-certificate.jceks  key/hivemr3-ssl-certificate.jks

$ ls ranger-key/*{jceks,jks}
ranger-key/hivemr3-ssl-certificate.jceks  ranger-key/hivemr3-ssl-certificate.jks

$ ls timeline-key/*{jceks,jks}
timeline-key/hivemr3-ssl-certificate.jceks timeline-key/hivemr3-ssl-certificate.jks

`values-hive.yaml`, `values-ranger.yaml`, and `values-timeline.yaml`

Update values-hive.yaml, values-ranger.yaml, and values-timeline.yaml to create Secrets from files in the directories key, ranger-key, and timeline-key.

$ vi values-hive.yaml

hive:
  createSecret: true

$ vi values-ranger.yaml

ranger:
  createSecret: true

$ vi values-timeline.yaml

timeline:
  createSecret: true

`helm/hive/env-secret.sh`

$ vi helm/hive/env-secret.sh

HIVE_SERVER2_SSL_TRUSTSTOREPASS=MySslPassword123
export HADOOP_CREDSTORE_PASSWORD=MySslPassword123

HIVE_SERVER2_SSL_TRUSTSTOREPASS and HADOOP_CREDSTORE_PASSWORD should be set to the password for KeyStores and TrustStores (specified when creating certificates and secrets). HADOOP_CREDSTORE_PASSWORD should be appended to the values of the configuration keys mr3.am.launch.env and mr3.container.launch.env in conf/mr3-site.xml.

$ vi conf/mr3-site.xml

<name>mr3.am.launch.env</name>
  <value>LD_LIBRARY_PATH=$LD_LIBRARY_PATH:$HADOOP_HOME/lib/native/,HADOOP_CREDSTORE_PASSWORD,AWS_ACCESS_KEY_ID,AWS_SECRET_ACCESS_KEY,USE_JAVA_17</value>
</property>

<property>
  <name>mr3.container.launch.env</name>
  <value>LD_LIBRARY_PATH=/opt/mr3-run/hadoop/apache-hadoop/lib/native,HADOOP_CREDSTORE_PASSWORD,AWS_ACCESS_KEY_ID,AWS_SECRET_ACCESS_KEY,USE_JAVA_17</value>
</property>

`helm/timeline/env.sh`

$ vi helm/timeline/env.sh

export HADOOP_CREDSTORE_PASSWORD=MySslPassword123

HADOOP_CREDSTORE_PASSWORD should be set to the password for KeyStores and TrustStores (specified when creating certificates and secrets).

Configuring for SSL Encryption

Follow the instructions in Configuring for SSL Encryption.

Certificates and secrets

values-hive.yaml, values-ranger.yaml, and values-timeline.yaml

helm/hive/env-secret.sh

helm/timeline/env.sh

Configuring for SSL Encryption

`values-hive.yaml`, `values-ranger.yaml`, and `values-timeline.yaml`

`helm/hive/env-secret.sh`

`helm/timeline/env.sh`