Hive Password Encryption
EEP 4.0 introduces default configuration for
Hive Metastore password encryption using the Data Fabric
Installer. The password is stored in the hive-site.xml
file.
EEP 4.0 introduces default configuration for Hive
Metastore password encryption using the Data Fabric
Installer. The password is stored in the hive-site.xml
file.
javax.jdo.option.ConnectionPassword
is automatically
encrypted.<property>
<name>javax.jdo.option.ConnectionPassword<name>
<value>{password}<value>
<property>
The hadoop.security.credential.provider.path
configuration property
replaces the javax.jdo.option.ConnectionPassword
property in the
hive-site.xml
file that contains the path to the keystore file
created by the Hadoop Crediential Provider. Credential providers store and protect
passwords out of clear text for the underlying database. By default, the Data Fabric Installer creates the keystore file in the
Data Fabric file system.
/user/${MAPR_USER}/hivemetastore.jceks
.
hive.server2.webui.keystore.password
,
hive.server2.keystore.password
, and
templeton.keystore.password
, are automatically read from the
/opt/mapr/conf/ssl-client.xml
file without any additional steps from
your side. But you can still encrypt them manually and store them in the
*jceks
files.Reset Data Fabric Installer Default Configuration
To remove changes made by the Data Fabric Installer and reset Hive to its default setting:
- Open the
hive-site.xml
file. - Delete the
hadoop.security.credential.provider.path
property. - Add the
javax.jdo.option.ConnectionPassword
property. - Save and close the
hive-site.xml
file.
Manual Password Encryption
hadoop credential
command for
provisioning a password or secret to a particular credential store provider, use the
-provider
command line option to explicitly indicate which
provider store to use. If a path of multiple providers is given, the first
non-transient provider will be used. Note that this provider may or may not be the
one that you intended to use.To encrypt a password manually:
- Create the keystore file using the Hadoop Credential Provider as follows:
Wherehadoop credential create javax.jdo.option.ConnectionPassword -provider <path-to-keystore>
<path-to-keystore>
isjceks://<file-system-name>/<path-to-keystore>
.For example,jceks://maprfs/user/mapr/hivemetastore.jceks
NOTEOn running the command, you are prompted to enter and re-enter the password to encrypt. Once you provide the password and confirm the password, thejavax.jdo.option.ConnectionPassword
is created and theorg.apache.hadoop.security.alias.JavaKeyStoreProvider
is updated. - Delete the
javax.jdo.option.ConnectionPassword
property in thehive-site.xml
file:<property> <name>javax.jdo.option.ConnectionPassword</name> <value>{yourpassword}</value> </property>
- Add the
hadoop.security.credential.provider.path
property to the/opt/mapr/hive/<hive-release-version>/conf/hive-site.xml
file:<property> <name>hadoop.security.credential.provider.path</name> <value>jceks://maprfs/user/mapr/hivemetastore.jceks</value> <description>specify password to use against metastore database here</description> </property>
- Restart the Hive services to update the
configuration:
maprcli node services -name hivemeta -action restart -nodes `hostname -f` maprcli node services -name hs2 -action restart -nodes `hostname -f` maprcli node services -name hcat -action restart -nodes `hostname -f`
Encrypt the Oozie Database Password
- Configure Oozie to use a MySQL database as described in Configure a MySQL Data Store for Oozie.
- Optionally, export the Hadoop credential store password as a system
variable:
$ export HADOOP_CREDSTORE_PASSWORD=password
. - Add
oozie.service.jpaservice.jdbc.password
to thejceks
keystore:$ hadoop credential create oozie.service.jpaservice.jdbc.password -provider jceks://path/to/oozie.jceks Enter the password: Enter the password again: oozie.service.jpaservice.jdbc.password has been successfully created. org.apache.hadoop.security.alias.JavaKeyStoreProvider has been updated.
- Verify that the MySQL password was added:
Keystore type: JCEKS Keystore provider: SunJCE Your keystore contains 1 entry Alias name: oozie.service.jpaservice.jdbc.password Creation date: Apr 11, 2018 Entry type: SecretKeyEntry
- Once the
jceks
file is created, add thehadoop.security.credential.provider.path
property to theoozie-site.xml
file with the path to thejceks
file. Thejceks
path location can bemaprfs
or a local file (local-fs
).<property> <name>hadoop.security.credential.provider.path</name> <value>jceks://path/to/oozie.jceks</value> </property>
- Update the
password
property to use*****
instead of a word-readable password:<property> <name>oozie.service.JPAService.jdbc.password</name> <value>*****</value> </property>