Support Questions
Find answers, ask questions, and share your expertise
Announcements
Alert: Welcome to the Unified Cloudera Community. Former HCC members be sure to read and learn how to activate your account here.

Beeline/jdbc connection issue to Hive SSL via Knox SSL

Solved Go to solution

Beeline/jdbc connection issue to Hive SSL via Knox SSL

New Contributor

Hello, 

I'm trying to connect from beeline/jdbc to ssl enabled Hive (3.1.0) via ssl enabled Knox ( 1.0.0 ) but without success.

 

1) The same connection works perfectly fine with ssl disabled on Hive side

( Ambari -> Hive -> Configs -> Settings -> Use SSL = false )

 

 

beeline -u "jdbc:hive2://knox_gateway:8443/;ssl=true;sslTrustStore=user_keystore.jks;trustStorePassword=password;transportMode=http;httpPath=gateway/default/hive" -n valid_knox_user -p valid_knox_password

SLF4J: Class path contains multiple SLF4J bindings.
SLF4J: Found binding in [jar:file:/usr/hdp/3.1.0.0-78/hive/lib/log4j-slf4j-impl-2.10.0.jar!/org/slf4j/impl/StaticLoggerBinder.class]
SLF4J: Found binding in [jar:file:/usr/hdp/3.1.0.0-78/hadoop/lib/slf4j-log4j12-1.7.25.jar!/org/slf4j/impl/StaticLoggerBinder.class]
SLF4J: See <a href="<a href="http://www.slf4j.org/codes.html#multiple_bindings" target="_blank">http://www.slf4j.org/codes.html#multiple_bindings</a>" target="_blank"><a href="http://www.slf4j.org/codes.html#multiple_bindings</a" target="_blank">http://www.slf4j.org/codes.html#multiple_bindings</a</a>> for an explanation.
SLF4J: Actual binding is of type [org.apache.logging.slf4j.Log4jLoggerFactory]
Connecting to jdbc:hive2://knox_gateway:8443/;ssl=true;sslTrustStore=user_keystore.jks;trustStorePassword=password;transportMode=http;httpPath=gateway/default/hive
Connected to: Apache Hive (version 3.1.0.3.1.0.0-78)
Driver: Hive JDBC (version 3.1.0.3.1.0.0-78)
Transaction isolation: TRANSACTION_REPEATABLE_READ
Beeline version 3.1.0.3.1.0.0-78 by Apache Hive
0: jdbc:hive2://knox_gateway>

 

 

As soon as the ssl is enabled for Hive( Ambari -> Hive -> Configs -> Settings -> Use SSL = true)

beeline throws error:

 

 

20/02/28 11:53:42 [main]: ERROR jdbc.HiveConnection: Error opening session
org.apache.thrift.transport.TTransportException: HTTP Response code: 500

 

 

And knox gateway log indicates:

 

 

2020-02-28 11:33:41,568 WARN  knox.gateway (DefaultDispatch.java:executeOutboundRequest(147)) - Connection exception dispatching request: <a href="http://hive_server:10001/cliservice?doAs=valid_knox_user" target="_blank">http://hiver_server:10001/cliservice?doAs=valid_knox_user</a> org.apache.http.client.ClientPr
otocolException
org.apache.http.client.ClientProtocolException
        at org.apache.http.impl.client.InternalHttpClient.doExecute(InternalHttpClient.java:187)
...
        at org.eclipse.jetty.util.thread.QueuedThreadPool$2.run(QueuedThreadPool.java:683)
        at java.lang.Thread.run(Thread.java:748)
Caused by: org.apache.http.ProtocolException: The server failed to respond with a valid HTTP response
        at org.apache.http.impl.conn.DefaultHttpResponseParser.parseHead(DefaultHttpResponseParser.java:149)
        at org.apache.http.impl.conn.DefaultHttpResponseParser.parseHead(DefaultHttpResponseParser.java:56)
        at org.apache.http.impl.io.AbstractMessageParser.parse(AbstractMessageParser.java:259)

 

 

Looks like some configuration is needed to instruct knox to connect to hive over ssl but can't find such. I tried to add Hive ssl certificate to Knox gateway truststore  located in /var/lib/knox/data-3.1.0.0-78/security/keystores/gateway.jks but that did not help. Any advice ?

1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted

Re: Beeline/jdbc connection issue to Hive SSL via Knox SSL

New Contributor

Reading my own post gave me an idea how to fix it and that actually worked. So posting the solution just in case. 

In Advance topology configuration for knox  ( Ambari -> Knox -> Configs -> Advanced topology ) 

The service for Hive had to be updated from :

            <service>
                <role>HIVE</role>
                <url>http://{{hive_server_host}}:{{hive_http_port}}/{{hive_http_path}}</url>
            </service>

To

            <service>
                <role>HIVE</role>
                <url>https://{{hive_server_host}}:{{hive_http_port}}/{{hive_http_path}}</url>
            </service>

 

View solution in original post

2 REPLIES 2
Highlighted

Re: Beeline/jdbc connection issue to Hive SSL via Knox SSL

New Contributor

Reading my own post gave me an idea how to fix it and that actually worked. So posting the solution just in case. 

In Advance topology configuration for knox  ( Ambari -> Knox -> Configs -> Advanced topology ) 

The service for Hive had to be updated from :

            <service>
                <role>HIVE</role>
                <url>http://{{hive_server_host}}:{{hive_http_port}}/{{hive_http_path}}</url>
            </service>

To

            <service>
                <role>HIVE</role>
                <url>https://{{hive_server_host}}:{{hive_http_port}}/{{hive_http_path}}</url>
            </service>

 

View solution in original post

Highlighted

Re: Beeline/jdbc connection issue to Hive SSL via Knox SSL

Community Manager

I'm happy to see you resolved your issue. Please mark the appropriate reply as the solution, as it will make it easier for others to find the answer in the future. 

 

Screen Shot 2019-08-06 at 1.54.47 PM.png

 

 


Cy Jervis, Community Manager

Was your question answered? Make sure to mark the answer as the accepted solution.
If you find a reply useful, say thanks by clicking on the thumbs up button.

Learn more about the Cloudera Community:
Community Guidelines
How to use the forum
Don't have an account?
Coming from Hortonworks? Activate your account here