https://community.cloudera.com/t5/Archives-of-Support-Questions/Hive-SASL-QOP-setting-on-client-and-server/m-p/120022#M22385 <P>Did you ever get a solution for this?</P> Sun, 03 Apr 2016 04:18:28 GMT aervits 2016-04-03T04:18:28Z https://community.cloudera.com/t5/Archives-of-Support-Questions/Hive-SASL-QOP-setting-on-client-and-server/m-p/120021#M22384 <P> Can client connect using a lower standard like auth-int or auth if hive.server2.thrift.sasl.qop is set to auth-conf on hiveserver2?</P> Thu, 10 Mar 2016 00:04:39 GMT https://community.cloudera.com/t5/Archives-of-Support-Questions/Hive-SASL-QOP-setting-on-client-and-server/m-p/120021#M22384 sunile_manjee 2016-03-10T00:04:39Z https://community.cloudera.com/t5/Archives-of-Support-Questions/Hive-SASL-QOP-setting-on-client-and-server/m-p/120022#M22385 <P>Did you ever get a solution for this?</P> Sun, 03 Apr 2016 04:18:28 GMT https://community.cloudera.com/t5/Archives-of-Support-Questions/Hive-SASL-QOP-setting-on-client-and-server/m-p/120022#M22385 aervits 2016-04-03T04:18:28Z https://community.cloudera.com/t5/Archives-of-Support-Questions/Hive-SASL-QOP-setting-on-client-and-server/m-p/120023#M22386 <A rel="user" href="https://community.cloudera.com/users/393/aervits.html" nodeid="393">@Artem Ervits</A><P>yes here is the info:</P><P><A href="https://docs.hortonworks.com/HDPDocuments/HDP2/HDP-2.3.4/bk_Security_Guide/content/ch_wire-connect.html">HiveServer2</A> implemented encryption with the Java SASL protocol's quality of protection (QOP) setting that allows data moving between a HiveServer2 over JDBC and a JDBC client to be encrypted. For <A href="http://docs.hortonworks.com/HDPDocuments/HDP2/HDP-2.3.4/bk_dataintegration/content/hive-jdbc-odbc-drivers.html">kerberized</A> cluster hiveserver2 binary transport uses sasl qop.</P><P>QOP <A href="http://docs.oracle.com/javase/7/docs/api/javax/security/sasl/Sasl.html#QOP">property</A> can be set to:</P><UL><LI>"auth" - authentication only</LI><LI>"auth-int" - authentication plus integrity protection</LI><LI>"auth-conf" - authentication plus integrity and confidentiality protection</LI></UL><P>This enhancement is available in hive .12+. It was made available via <A href="https://issues.apache.org/jira/browse/HIVE-4911">HIVE-4911</A>. Please be aware of performance degradation due to encryption. Great example on the bottom of the jira.</P> Sun, 03 Apr 2016 07:12:35 GMT https://community.cloudera.com/t5/Archives-of-Support-Questions/Hive-SASL-QOP-setting-on-client-and-server/m-p/120023#M22386 sunile_manjee 2016-04-03T07:12:35Z https://community.cloudera.com/t5/Archives-of-Support-Questions/Hive-SASL-QOP-setting-on-client-and-server/m-p/120024#M22387 <P>I feel that this wasn't answered clearly.</P><P>I stumbled across this recently and tested with various configurations and full packet captures with tcpdump.</P><P>There are 3 possibilities when hive.server2.thrift.sasl.qop is set to auth-conf:</P><OL><LI>Client connects with ;saslQop=auth-conf - traffic is encrypted</LI><LI>Client tries to connect with ;saslQop=auth - connection is refused with<EM> javax.security.sasl.SaslException: No common protection layer between client and server</EM> exception</LI><LI>Client connects without any saslQop parameter set (this is especially the case with ODBC drivers and software such as Tableau where you cannot - easily - set the JDBC parameters) - traffic is still encrypted. I'm mentioning this as some documentation asks to explicitly set saslQop in the client, but this isn't required, unless you want to enforce this so it doesn't go over unencrypted connections if the server setting changes.</LI></OL> Fri, 23 Sep 2016 20:14:05 GMT https://community.cloudera.com/t5/Archives-of-Support-Questions/Hive-SASL-QOP-setting-on-client-and-server/m-p/120024#M22387 aanghel 2016-09-23T20:14:05Z