Cloudera Community

Support Questions

Find answers, ask questions, and share your expertise
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Advanced Search
Solved Go to solution

Hive SASL QOP setting on client and server

Labels:
avatar
author-rank sunile_manjee author-rank
Master Guru

Created ‎03-09-2016 04:04 PM

Can client connect using a lower standard like auth-int or auth if hive.server2.thrift.sasl.qop is set to auth-conf on hiveserver2?

8,356 Views
0
1 ACCEPTED SOLUTION

avatar
author-rank sunile_manjee author-rank
Master Guru

Created ‎04-03-2016 12:12 AM

@Artem Ervits

yes here is the info:

HiveServer2 implemented encryption with the Java SASL protocol's quality of protection (QOP) setting that allows data moving between a HiveServer2 over JDBC and a JDBC client to be encrypted. For kerberized cluster hiveserver2 binary transport uses sasl qop.

QOP property can be set to:

  • "auth" - authentication only
  • "auth-int" - authentication plus integrity protection
  • "auth-conf" - authentication plus integrity and confidentiality protection

This enhancement is available in hive .12+. It was made available via HIVE-4911. Please be aware of performance degradation due to encryption. Great example on the bottom of the jira.

View solution in original post

5,128 Views
0 Kudos
0
3 REPLIES 3

avatar
author-rank aervits
Master Mentor

Created ‎04-02-2016 09:18 PM

Did you ever get a solution for this?

5,128 Views
0 Kudos

avatar
author-rank sunile_manjee author-rank
Master Guru

Created ‎04-03-2016 12:12 AM

@Artem Ervits

yes here is the info:

HiveServer2 implemented encryption with the Java SASL protocol's quality of protection (QOP) setting that allows data moving between a HiveServer2 over JDBC and a JDBC client to be encrypted. For kerberized cluster hiveserver2 binary transport uses sasl qop.

QOP property can be set to:

  • "auth" - authentication only
  • "auth-int" - authentication plus integrity protection
  • "auth-conf" - authentication plus integrity and confidentiality protection

This enhancement is available in hive .12+. It was made available via HIVE-4911. Please be aware of performance degradation due to encryption. Great example on the bottom of the jira.

5,129 Views
0 Kudos
0

avatar
author-rank aanghel author-rank
Super Collaborator

Created ‎09-23-2016 01:14 PM

I feel that this wasn't answered clearly.

I stumbled across this recently and tested with various configurations and full packet captures with tcpdump.

There are 3 possibilities when hive.server2.thrift.sasl.qop is set to auth-conf:

  1. Client connects with ;saslQop=auth-conf - traffic is encrypted
  2. Client tries to connect with ;saslQop=auth - connection is refused with javax.security.sasl.SaslException: No common protection layer between client and server exception
  3. Client connects without any saslQop parameter set (this is especially the case with ODBC drivers and software such as Tableau where you cannot - easily - set the JDBC parameters) - traffic is still encrypted. I'm mentioning this as some documentation asks to explicitly set saslQop in the client, but this isn't required, unless you want to enforce this so it doesn't go over unencrypted connections if the server setting changes.
5,128 Views
Announcements
What's New @ Cloudera
[RELEASED] Cloudera Streaming Analytics - Kubernetes Operato...
What's New @ Cloudera
[RELEASED] Cloudera Streams Messaging - Kubernetes Operator ...
Community Announcements
February 2025 Community Highlights
What's New @ Cloudera
3 Benefits of External IDE Connectivity, Now Available in Cl...
What's New @ Cloudera
Performance comparison of Spark3 on YARN with S3 Standard VS...
View More Announcements