Enabling SSL Encryption for Impala
About this task
Procedure
-
Configure hive-site.xml with the following properties:
<property> <name>hive.metastore.uris</name> <value>thrift://<hive_metastore_host>:9083</value> <description>IP address or fully-qualified domain name, and port number, of the Hive metastore host </description> </property> <property> <property> <name>hive.server2.use.SSL</name> <value>true</value> <description>enable/disable SSL communication</description> </property> <property> <name>hive.server2.keystore.path</name> <value>/opt/mapr/conf/ssl_keystore</value> <description>path to keystore file</description> </property> <property> <name>hive.server2.keystore.password</name> <value>mapr123</value> <description>keystore password</description> </property>
-
Add both of the following flags to the Impala start-up options in
/opt/mapr/impala/impala-<version>/conf/env.sh:
Flag Description -ssl_server_certificate
Full path to the server certificate on the local file system. -ssl_private_key
Full path to the server private key on the local file system. For more information about configuring Impala start-up options, refer to Additional Impala Configuration Options.
When you add the SSL flags to Impala start-up options, Impala listens for HiveServer2 on the SSL-secured ports. A client program usually has equivalent options to verify a connection to the correct server.
After you enable SSL, you can issue the following options when you start the impala-shell:
Option Description -ssl
Enables SSL for the impala-shell. -ca_cert
Local path name that points to the third-party CA certificate, or to a copy of the server certificate for self-signed server certificates. If --ca_cert is not set, impala-shell enables SSL, but does not validate the server certificate. This is useful for connecting to an Impala node that you know is only running over SSL when a copy of the certificate is not available.