Support Questions

Find answers, ask questions, and share your expertise

Getting Error While accessing Hive through Hue

avatar
Contributor

Hi,

We are using HDP-2.3.4.0 and Hue-3.8 in our environment. We have enabled SSL for Hiveserver2. We haven't enabled SSL for Hue.

Now, when we are trying to access SSL enabled Hive through Hue we are getting following error:

Error!

Failed to retrieve tables for database: default
[Errno 185090050] _ssl.c:344: error:0B084002:x509 certificate routines:X509_load_cert_crl_file:system lib

In hue.ini, under besswax I set following:

  [[ssl]]
 # SSL communication enabled for this server. (optional since Hue 3.8)
  enabled=true
   # Path to Certificate Authority certificates.
  cacerts=/home/dev/hive-certificate/ca-chaincert.pem
  # Choose whether Hue should validate certificates received from the server.
  validate=true

ca-chaincert.pem has following certificates:

echo -n | openssl s_client -connect hadmgrndcc03-2.test.org:10001 | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > hadmgrndcc03-2.test.org.pem

keytool -import -alias hadmgrndcc03-2.test.org -file hadmgrndcc03-2.test.org.pem -keystore ca-chaincert.pem

keytool -import -alias rootca -file rootca -keystore ca-chaincert.pem

keytool -import -alias intermediate -file intermediate -keystore ca-chaincert.pem

How to access SSL enabled Hive through Hue? What configurations needs to be done?

Please suggest.

Thanks.

10 REPLIES 10

avatar
Contributor

avatar
Master Mentor

@Bhushan Kandalkar

Here is a tip

In the [[ssl]] section of the filehue.ini (under the beeswax section), set validate to true.

[[ssl]]
# SSL communication enabled for this server.
# Path to certificate authority certificates.
## cacerts=/path/cert.pem
# Choose whether Hue should validate certificates received from the server.
validate=true

On a secure cluster: Make sure that no custom authentication mechanism is turned on and configure the hive-site.xml with the following properties:

<name>hive.server2.thrift.sasl.qop</name>
<value>auth-conf</value>
<description>Sasl QOP value; one of 'auth', 'auth-int' and 'auth-conf'</description>
</property>
  • To restart Hue
  • To restart Hive Metastore
  • To restart HiveServer2

avatar
Contributor

@Geoffrey Shelton Okot, What about cacert? do we need to include it?

avatar
Master Mentor

@Bhushan Kandalkar

When you start or restart Hue on a secure cluster, keys are generated at $HUE_HOME. If generated keystore files already exist in that location, the script does nothing. The script is located here: $HUE_HOME/bin/secure.sh, and it runs with a set of default parameters, which should not be changed.

What is your current cacert path?

avatar
Contributor

@Geoffrey Shelton Okot, I haven't set cacert path. Do we need to import certificates of Hive servers in cacert file? How can I create cacert file? We have internal CA signed certificate for Hive.

avatar
Contributor

@Geoffrey Shelton Okot, here is the info:

In hue.ini, under besswax I set following:

[[ssl]]
# SSL communication enabled for this server. (optional since Hue 3.8)
enabled=true
# Path to Certificate Authority certificates.
cacerts=/home/dev/hive-certificate/ca-chaincert.pem
# Choose whether Hue should validate certificates received from the server.
validate=true

ca-chaincert.pem has following certificates:

echo -n | openssl s_client -connect hadmgrndcc03-2.test.org:10001| sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p'> hadmgrndcc03-2.test.org.pem
keytool -import-alias hadmgrndcc03-2.test.org -file hadmgrndcc03-2.test.org.pem -keystore ca-chaincert.pem
keytool -import-alias rootca -file rootca -keystore ca-chaincert.pem
keytool -import-alias intermediate -file intermediate -keystore ca-chaincert.pem

avatar
Master Mentor

@Bhushan Kandalkar

I think you need to check this documentation it will help you configure connectivity between Hue and HS2.

Please revert

avatar
Contributor
@Geoffrey Shelton Okot, could you please share link.

avatar
Master Guru
@Bhushan Kandalkar

Yes. you will have to import hive server certs into Hue's truststore.

Personally, I have never tried this however this link can give you more background.