Support Questions

Find answers, ask questions, and share your expertise

Hive JDBC via Knox and configuring Hive in Ranger

avatar
Rising Star

I have HDP-2.2 cluster with FreeIPA configured.But when we are trying to access hive jdbc via knox. Following is the JDBC uri that we are using:

jdbc:hive2://xxxxxxxxxxx:8443/;ssl=true;sslTrustStore=/var/lib/knox/data/security/keystores/gateway.jks;trustStorePassword=xxxxxxxxxxxx?hive.server2.transport.mode=http;hive.server2.thrift.http.path=gateway/default/hive

Below is the error I am getting: _

Keystore was tampered with, or password was incorrect (state=08S01,code=0)

It seems that password of trustStore does not match as that of mentioned in JDBC URI.I tried changing the Knox Master password but ambari does not allow to change the it.Is their any way wherein I can change the trustStore password and create new knox master? Will it affect the other services if the master secret password is changed?

In addition to that if I use the same uri for creating hive repository in Ranger we get _"Connection failed" _error.Is the same JDBC uri to be used in ranger to create repository for hive?

Note: If I set hive transport mode to "binary" instead of "http" then we are able to create repository in ranger but in that case hive over knox will not work as it requires "http" mode

1 ACCEPTED SOLUTION

avatar
Hi Saptak, here are the usual passwords for Knox that I have seen. You can try those
  • Default if not specified: hadoop
  • On Sandbox: knox

As for changing it, I haven't done it before, but you can check the knoxcli.sh for that

http://knox.apache.org/books/knox-0-6-0/user-guide.html

Master secret persistence
bin/knoxcli.sh create-master [--force][--help]
Creates and persists an encrypted master secret in a file within {GATEWAY_HOME}/data/security/master.
NOTE: This command fails when there is an existing master file in the expected location. You may force it to overwrite the master file with the --force switch. NOTE: this will require you to change passwords protecting the keystores for the gateway identity keystores and all credential stores.

View solution in original post

2 REPLIES 2

avatar
Hi Saptak, here are the usual passwords for Knox that I have seen. You can try those
  • Default if not specified: hadoop
  • On Sandbox: knox

As for changing it, I haven't done it before, but you can check the knoxcli.sh for that

http://knox.apache.org/books/knox-0-6-0/user-guide.html

Master secret persistence
bin/knoxcli.sh create-master [--force][--help]
Creates and persists an encrypted master secret in a file within {GATEWAY_HOME}/data/security/master.
NOTE: This command fails when there is an existing master file in the expected location. You may force it to overwrite the master file with the --force switch. NOTE: this will require you to change passwords protecting the keystores for the gateway identity keystores and all credential stores.

avatar

Just to add context to this correct answer, the password required here to access the gateway.jks keystore is the password provided as the Knox master secret in Ambari when Knox was installed. The Ambari install scripts for Knox use the described knoxcli.sh create-master command "under the covers".