Secure Hive SSL - stanislawbartkowski/hdpwiredencryption GitHub Wiki
Very similar steps like HDFS plugin by tailored for Hive component
On HiveServer2 node, prepare Ranger plugin keystore
cd /etc/hive/conf
Important: remember CN name, do not use FQDN hostname, the CN name should be different than all other plugins CN names.
keytool -genkey -keyalg RSA -alias rangerHiveAgent -keystore ranger-plugin-keystore.jks -validity 360 -keysize 2048
Enter keystore password:
What is your first and last name?
[Unknown]: rangerhiveplugin
What is the name of your organizational unit?
[Unknown]: AA
What is the name of your organization?
[Unknown]: BB
Create Hive Ranger Plugin truststore, import Ranger Admin certificate
keytool -import -file /root/ranger-admin-trust.cer -alias rangeradmintrust -keystore ranger-plugin-truststore.jks
Secure stores
chown hive: *.jks
chmod 400 *jks
Export Ranger Plugin certificate
keytool -export -keystore ranger-plugin-keystore.jks -alias rangerHiveAgent -file ranger-hiveAgent-trust.cer
On Ranger Admin node, import certificate into Ranger Admin trustore, use a different alias name.
cd /etc/ranger/admin/conf
keytool -import -file /root/ranger-hiveAgent-trust.cer -alias rangerHiveAgentTrust -keystore ranger-admin-truststore.jks
Hive->Configs->Advanced->Advanced ranger-stlas-policymgr-ssl
| Property | Sample value |
|---|---|
| xasecure.policymgr.clientssl.keystore | /etc/hive/conf/ranger-plugin-keystore.jks |
| xasecure.policymgr.clientssl.keystore.password | secret |
| xasecure.policymgr.clientssl.truststore | /etc/hive/conf/ranger-plugin-truststore.jks |
| xasecure.policymgr.clientssl.truststore.password | secret |
Restart Hive and Ranger
Ranger Admin UI-> Access Manager -> <cluster_name>_hive
Enter DN of Ranger Atlas Plugin certificate (rangerhiveplugin) into Common Name for Certificate field.
Audit-> Plugins
<cluster>_hive should declare HTTP Response Code 200 with fresh date.
As sb user, try to create a table in Hive default database.
beeline -n sb
create table test (x int);
Error: Error while compiling statement: FAILED: HiveAccessControlException Permission denied: user [sb] does not have [CREATE] privilege on [default/test] (state=42000,code=40000)
Create Hive Ranger policy for user sb and grant all privileges in default database.
Wait a minute and try again.
create table test (x int);
INFO : OK
No rows affected (1,38 seconds)