Support Questions

cjervis · ‎02-28-2020

Hello,

I'm trying to connect from beeline/jdbc to ssl enabled Hive (3.1.0) via ssl enabled Knox ( 1.0.0 ) but without success.

1) The same connection works perfectly fine with ssl disabled on Hive side

( Ambari -> Hive -> Configs -> Settings -> Use SSL = false )

beeline -u "jdbc:hive2://knox_gateway:8443/;ssl=true;sslTrustStore=user_keystore.jks;trustStorePassword=password;transportMode=http;httpPath=gateway/default/hive" -n valid_knox_user -p valid_knox_password

SLF4J: Class path contains multiple SLF4J bindings.
SLF4J: Found binding in [jar:file:/usr/hdp/3.1.0.0-78/hive/lib/log4j-slf4j-impl-2.10.0.jar!/org/slf4j/impl/StaticLoggerBinder.class]
SLF4J: Found binding in [jar:file:/usr/hdp/3.1.0.0-78/hadoop/lib/slf4j-log4j12-1.7.25.jar!/org/slf4j/impl/StaticLoggerBinder.class]
SLF4J: See <a href="<a href="http://www.slf4j.org/codes.html#multiple_bindings" target="_blank">http://www.slf4j.org/codes.html#multiple_bindings</a>" target="_blank"><a href="http://www.slf4j.org/codes.html#multiple_bindings</a" target="_blank">http://www.slf4j.org/codes.html#multiple_bindings</a</a>> for an explanation.
SLF4J: Actual binding is of type [org.apache.logging.slf4j.Log4jLoggerFactory]
Connecting to jdbc:hive2://knox_gateway:8443/;ssl=true;sslTrustStore=user_keystore.jks;trustStorePassword=password;transportMode=http;httpPath=gateway/default/hive
Connected to: Apache Hive (version 3.1.0.3.1.0.0-78)
Driver: Hive JDBC (version 3.1.0.3.1.0.0-78)
Transaction isolation: TRANSACTION_REPEATABLE_READ
Beeline version 3.1.0.3.1.0.0-78 by Apache Hive
0: jdbc:hive2://knox_gateway>

As soon as the ssl is enabled for Hive( Ambari -> Hive -> Configs -> Settings -> Use SSL = true)

beeline throws error:

20/02/28 11:53:42 [main]: ERROR jdbc.HiveConnection: Error opening session
org.apache.thrift.transport.TTransportException: HTTP Response code: 500

And knox gateway log indicates:

2020-02-28 11:33:41,568 WARN  knox.gateway (DefaultDispatch.java:executeOutboundRequest(147)) - Connection exception dispatching request: <a href="http://hive_server:10001/cliservice?doAs=valid_knox_user" target="_blank">http://hiver_server:10001/cliservice?doAs=valid_knox_user</a> org.apache.http.client.ClientPr
otocolException
org.apache.http.client.ClientProtocolException
        at org.apache.http.impl.client.InternalHttpClient.doExecute(InternalHttpClient.java:187)
...
        at org.eclipse.jetty.util.thread.QueuedThreadPool$2.run(QueuedThreadPool.java:683)
        at java.lang.Thread.run(Thread.java:748)
Caused by: org.apache.http.ProtocolException: The server failed to respond with a valid HTTP response
        at org.apache.http.impl.conn.DefaultHttpResponseParser.parseHead(DefaultHttpResponseParser.java:149)
        at org.apache.http.impl.conn.DefaultHttpResponseParser.parseHead(DefaultHttpResponseParser.java:56)
        at org.apache.http.impl.io.AbstractMessageParser.parse(AbstractMessageParser.java:259)

Looks like some configuration is needed to instruct knox to connect to hive over ssl but can't find such. I tried to add Hive ssl certificate to Knox gateway truststore located in /var/lib/knox/data-3.1.0.0-78/security/keystores/gateway.jks but that did not help. Any advice ?

leszek_liberda · ‎02-28-2020

Reading my own post gave me an idea how to fix it and that actually worked. So posting the solution just in case.

In Advance topology configuration for knox ( Ambari -> Knox -> Configs -> Advanced topology )

The service for Hive had to be updated from :

            <service>
                <role>HIVE</role>
                <url>http://{{hive_server_host}}:{{hive_http_port}}/{{hive_http_path}}</url>
            </service>

To

            <service>
                <role>HIVE</role>
                <url>https://{{hive_server_host}}:{{hive_http_port}}/{{hive_http_path}}</url>
            </service>

View solution in original post

leszek_liberda · ‎02-28-2020

Reading my own post gave me an idea how to fix it and that actually worked. So posting the solution just in case.

In Advance topology configuration for knox ( Ambari -> Knox -> Configs -> Advanced topology )

The service for Hive had to be updated from :

            <service>
                <role>HIVE</role>
                <url>http://{{hive_server_host}}:{{hive_http_port}}/{{hive_http_path}}</url>
            </service>

To

            <service>
                <role>HIVE</role>
                <url>https://{{hive_server_host}}:{{hive_http_port}}/{{hive_http_path}}</url>
            </service>

cjervis · ‎02-28-2020

I'm happy to see you resolved your issue. Please mark the appropriate reply as the solution, as it will make it easier for others to find the answer in the future.

mark as solution button

Cy Jervis, Manager, Community Program
Was your question answered? Make sure to mark the answer as the accepted solution.
If you find a reply useful, say thanks by clicking on the thumbs up button.

Cloudera Community

Support Questions

Beeline/jdbc connection issue to Hive SSL via Knox SSL

beeline connect via Knox - SSL issue

Demystify Knox, LDAP, SSL, CA Cert integration

NIFI SSL in Modern Versions of NiFi

Kafka in SSL+KERBEROS, and Spark2 connecting SSL S...

Knox over Hive SSL Failed

Can't Connect to Impala from ODBC with SSL

Ranger SSL - pitfalls

connect HiveServer2 to MySQL metastore over SSL

How to Connect To Hive via Knox Using ODBC

Recreate Ambari's CA, used to sign SSL certificate...