Enable SSL Encryption Between Hue and Hive
About this task
Procedure
-
Start Hue:
When you start or restart Hue on a secure cluster, keys are generated atmaprcli node services -name hue -action start -nodes <node name>
$HUE_HOME
. If generatedkeystore
files already exist in that location, the script does nothing. The script is located here:$HUE_HOME/bin/secure.sh
, and it runs with a set of default parameters, which should not be changed. -
On an unsecure cluster, complete the following steps to generate
the keys:
-
Update the SSL section of the
hue.ini
file.- For Hue 3.7: In the [[ssl]] section of the
hue.ini
file , add the following SSL configuration information to the hue.ini file (under the beeswax section):[[ssl]] # SSL communication enabled for this server. enabled=true # Path to certificate authority certificates. ## cacerts=/etc/hue/cacerts.pem # Path to the private key file. key=/opt/mapr/hue/hue-3.6.0/hue_private_keystore.pem # Path to the public certificate file. cert=/opt/mapr/hue/hue-3.6.0/cert.pem # Choose whether Hue should validate certificates received from the server. validate=false
-
For Hue 3.8 and above: In the [[ssl]] section of the
hue.ini
file (under the beeswax section), set validate to false:[[ssl]] # SSL communication enabled for this server. # Path to certificate authority certificates. ## cacerts=/etc/hue/cacerts.pem # Choose whether Hue should validate certificates received from the server. validate=false
- For Hue 3.7: In the [[ssl]] section of the
-
Edit the
hive-site.xml
.- On an unsecure cluster: Make sure that no custom authentication mechanism
is turned on and configure the
hive-site.xml
with the following properties:<property> <name>hive.server2.use.SSL</name> <value>true</value> <description>enable/disable SSL communication</description> </property> <property> <name>hive.server2.keystore.path</name> <value>/opt/mapr/conf/ssl_keystore</value> <description>path to keystore file</description> </property> <property> <name>hive.server2.keystore.password</name> <value>mapr123</value> <description>keystore password</description> </property>
- On a secure cluster: Make sure that no custom authentication mechanism is
turned on and configure the
hive-site.xml
with the following properties:<name>hive.server2.thrift.sasl.qop</name> <value>auth-conf</value> <description>Sasl QOP value; one of 'auth', 'auth-int' and 'auth-conf'</description> </property>
- On an unsecure cluster: Make sure that no custom authentication mechanism
is turned on and configure the
-
Restart Hue, Hive Metastore, and HiveServer2.
- To restart Hue
-
maprcli node services -name hue -action start -nodes <hostname>
- To restart Hive Metastore
-
maprcli node services -name hivemeta -action start -nodes <space delimited list of nodes>
- To restart HiveServer2
-
maprcli node services -name hs2 -action start -nodes <space delimited list of nodes>