Enabling SSL for the Spark SQL Thrift Server

Communication with the Spark SQL Thrift Server can be encrypted using SSL.

Communication with the Spark SQL Thrift Server can be encrypted using SSL.

The following instructions give an example of how to set up SSL with a self-signed keystore and truststore.

There are two instances of the hive-site.xml file.

For use with Spark, the default location of the hive-site.xml file is:

Installer-Services and Package installations /etc/dse/spark/hive-site.xml
Installer-No Services and Tarball installations install_location/resources/spark/conf/hive-site.xml

For use with Hive, the default location of the hive-site.xml file is:

Installer-Services and Package installations /etc/dse/hive/hive-site.xml
Installer-No Services and Tarball installations install_location/resources/hive/conf/hive-site.xml

Procedure

  1. Create the sample keystore and truststore using the keytool command.
    keytool -genkey -alias hostname -keyalg RSA -keystore keystore.jks -keysize 2048 -noprompt -dname "CN=hostname, OU=test, O=test, L=test, S=test, C=test" -storepass truststore password -keypass keystore password
    keytool -export -alias hostname -file hostname.crt -keystore keystore.jks -noprompt -storepass truststore password
    keytool -import -trustcacerts -alias hostname -file hostname.crt -keystore truststore.jks -storepass truststore password -noprompt
  2. Add the required settings to enable SSL to the hive-site.xml configuration file.
        <property>
            <name>hive.server2.thrift.bind.host</name>
            <value>hostname</value>
        </property>
        <property>
            <name>hive.server2.use.SSL</name>
            <value>true</value>
        </property>
        <property>
            <name>hive.server2.keystore.path</name>
            <value>path to keystore/keystore.jks</value>
        </property>
        <property>
            <name>hive.server2.keystore.password</name>
            <value>keystore password</value>
        </property>
  3. Start the Spark SQL Thrift server.
    dse spark-sql-thriftserver start
  4. Test the connection with Beeline.
    dse spark-beeline
    beeline> !connect jdbc:hive2://hostname:10000/default;ssl=true;sslTrustStore=path to truststore/truststore.jks;trustStorePassword=truststore password
    Note: The JDBC URL for the Simba JDBC Driver is:
    jdbc:spark://hostname:10000/default;SSL=1;SSLTrustStore=path to truststore/truststore.jks;SSLTrustStorePwd=truststore password