Cloudera Community

Support Questions

Find answers, ask questions, and share your expertise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Advanced Search
Solved Go to solution

Hive SASL QOP setting on client and server

Labels:
avatar
author-rank sunile_manjee author-rank
Master Guru

Created ‎03-09-2016 04:04 PM

Can client connect using a lower standard like auth-int or auth if hive.server2.thrift.sasl.qop is set to auth-conf on hiveserver2?

8,072 Views
1 ACCEPTED SOLUTION

avatar
author-rank sunile_manjee author-rank
Master Guru

Created ‎04-03-2016 12:12 AM

@Artem Ervits

yes here is the info:

HiveServer2 implemented encryption with the Java SASL protocol's quality of protection (QOP) setting that allows data moving between a HiveServer2 over JDBC and a JDBC client to be encrypted. For kerberized cluster hiveserver2 binary transport uses sasl qop.

QOP property can be set to:

  • "auth" - authentication only
  • "auth-int" - authentication plus integrity protection
  • "auth-conf" - authentication plus integrity and confidentiality protection

This enhancement is available in hive .12+. It was made available via HIVE-4911. Please be aware of performance degradation due to encryption. Great example on the bottom of the jira.

View solution in original post

4,844 Views
0 Kudos
3 REPLIES 3

avatar
author-rank aervits
Master Mentor

Created ‎04-02-2016 09:18 PM

Did you ever get a solution for this?

4,844 Views
0 Kudos

avatar
author-rank sunile_manjee author-rank
Master Guru

Created ‎04-03-2016 12:12 AM

@Artem Ervits

yes here is the info:

HiveServer2 implemented encryption with the Java SASL protocol's quality of protection (QOP) setting that allows data moving between a HiveServer2 over JDBC and a JDBC client to be encrypted. For kerberized cluster hiveserver2 binary transport uses sasl qop.

QOP property can be set to:

  • "auth" - authentication only
  • "auth-int" - authentication plus integrity protection
  • "auth-conf" - authentication plus integrity and confidentiality protection

This enhancement is available in hive .12+. It was made available via HIVE-4911. Please be aware of performance degradation due to encryption. Great example on the bottom of the jira.

4,845 Views
0 Kudos

avatar
author-rank aanghel author-rank
Super Collaborator

Created ‎09-23-2016 01:14 PM

I feel that this wasn't answered clearly.

I stumbled across this recently and tested with various configurations and full packet captures with tcpdump.

There are 3 possibilities when hive.server2.thrift.sasl.qop is set to auth-conf:

  1. Client connects with ;saslQop=auth-conf - traffic is encrypted
  2. Client tries to connect with ;saslQop=auth - connection is refused with javax.security.sasl.SaslException: No common protection layer between client and server exception
  3. Client connects without any saslQop parameter set (this is especially the case with ODBC drivers and software such as Tableau where you cannot - easily - set the JDBC parameters) - traffic is still encrypted. I'm mentioning this as some documentation asks to explicitly set saslQop in the client, but this isn't required, unless you want to enforce this so it doesn't go over unencrypted connections if the server setting changes.
4,844 Views
Announcements
What's New @ Cloudera
Cloudera Data Engineering 1.23: Access Spark from Your Favor...
What's New @ Cloudera
HBase REST server scaling support is Generally Available
What's New @ Cloudera
New CLI option in the update-database command
What's New @ Cloudera
New Action menu item in the Cloudera Operational Database UI
What's New @ Cloudera
Get the list of supported instance types in the Cloudera Ope...
View More Announcements