Configuring Spark Thrift Server Encryption
Spark Thrift server encryption is supported when authentication is enabled. You can configure encryption with MapR-SASL or with SSL/TLS.
Configuring Encryption with MapR-SASL or Kerberos
Starting in EEP 4.0, for secure clusters, you can skip the steps outlined in this section. For new installs done using Data Fabric Installer, the Installer enables this configuration. For manual installs and upgrades, running configure.sh -R enables these settings.
To manually configure encryption with MapR-SASL or Kerberos authentication on a non-secure cluster or in versions earlier than EEP 4.0, complete the following steps:
- Set the
hive.server2.thrift.sasl.qop
property inhive-site.xml
to the valueauth-conf
. The SASL Quality of Protection (QOP), or sasl.qop, setting and the authentication with confidentiality (auth-conf
) value support authentication:<property> <name>hive.server2.thrift.sasl.qop</name> <value>auth-conf</value> </property>
- Restart Spark Thrift server to apply the change:IMPORTANTThe cluster administrative user (generally, the account named
mapr
) should start Spark Thrift server. Then, process identifier (PID) files are owned by this user, and impersonation support (where applicable) functions correctly../sbin/stop-thriftserver.sh ./sbin/start-thriftserver.sh
Configuring Encryption with SSL/TLS
To enable encryption with SSL/TLS:
- Add the following properties to the
/opt/mapr/spark/spark-<version>/conf/spark-defaults.conf
file:
After the properties are added, event logs will indicate that the job is encrypted.spark.ssl.enabled true spark.ssl.fs.enabled true spark.ssl.trustStore /opt/mapr/conf/ssl_truststore spark.ssl.keyStore /opt/mapr/conf/ssl_keystore spark.ssl.protocol TLSv1.2 spark.ssl.keyStorePassword mapr123 spark.ssl.trustStorePassword mapr123
- To connect using Beeline with encryption, add the following properties to the
/opt/mapr/spark/spark-<version>/conf/hive-site.xml
file:<property> <name>hive.server2.use.SSL</name> <value>true</value> <description>enable/disable SSL </description> </property> <property> <name>hive.server2.keystore.path</name> <value>/opt/mapr/conf/ssl_keystore</value> <description>path to keystore file</description> </property> <property> <name>hive.server2.keystore.password</name> <value>mapr123</value> <description>keystore password</description> </property>
- To start the Spark Thriftserver, use the following
command:
The following example shows a connection string using Beeline (PAM+SSL):/opt/mapr/spark/spark-<version>/sbin/start-thriftserver.sh --hiveconf hive.server2.thrift.port=2304 --master yarn --deploy-mode client
./bin/beeline Beeline version 1.2.0-mapr-1808-spark by Apache Hive beeline> !connect jdbc:hive2://node1.cluster.com:2304/default;ssl=true;user=mapr;password=mapr;sslTrustStorePassword=mapr123;sslTrustStore=/opt/mapr/conf/ssl_truststore Connecting to jdbc:hive2://node1.cluster.com:2304/default;ssl=true;user=mapr;password=mapr;sslTrustStorePassword=mapr123;sslTrustStore=/opt/mapr/conf/ssl_truststore Connected to: Spark SQL (version 2.1.0-mapr-mep-3.x-1808) Driver: Hive JDBC (version 1.2.0-mapr-1808-spark) Transaction isolation: TRANSACTION_REPEATABLE_READ 1: jdbc:hive2://node1.cluster.com:2304/defaul>