Configuring Spark Thrift Server Encryption

Spark Thrift server encryption is supported when authentication is enabled. You can configure encryption with MapR-SASL or with SSL/TLS.

Configuring Encryption with MapR-SASL or Kerberos

Starting in EEP 4.0, for secure clusters, you can skip the steps outlined in this section. For new installs done using Data Fabric Installer, the Installer enables this configuration. For manual installs and upgrades, running configure.sh -R enables these settings.

To manually configure encryption with MapR-SASL or Kerberos authentication on a non-secure cluster or in versions earlier than EEP 4.0, complete the following steps:

  1. Set the hive.server2.thrift.sasl.qop property in hive-site.xml to the value auth-conf. The SASL Quality of Protection (QOP), or sasl.qop, setting and the authentication with confidentiality (auth-conf) value support authentication:
    <property>
        <name>hive.server2.thrift.sasl.qop</name>
        <value>auth-conf</value>
    </property>
  2. Restart Spark Thrift server to apply the change:
    IMPORTANT
    The cluster administrative user (generally, the account named mapr) should start Spark Thrift server. Then, process identifier (PID) files are owned by this user, and impersonation support (where applicable) functions correctly.
    ./sbin/stop-thriftserver.sh
    ./sbin/start-thriftserver.sh

Configuring Encryption with SSL/TLS

To enable encryption with SSL/TLS:
  1. Add the following properties to the /opt/mapr/spark/spark-<version>/conf/spark-defaults.conf file:
    spark.ssl.enabled true
    spark.ssl.fs.enabled true
    spark.ssl.trustStore /opt/mapr/conf/ssl_truststore
    spark.ssl.keyStore /opt/mapr/conf/ssl_keystore
    spark.ssl.protocol TLSv1.2
    spark.ssl.keyStorePassword      mapr123
    spark.ssl.trustStorePassword    mapr123
    After the properties are added, event logs will indicate that the job is encrypted.
  2. To connect using Beeline with encryption, add the following properties to the /opt/mapr/spark/spark-<version>/conf/hive-site.xml file:
    <property>
      <name>hive.server2.use.SSL</name>
      <value>true</value>
      <description>enable/disable SSL </description>
    </property>
    
    <property>
      <name>hive.server2.keystore.path</name>
      <value>/opt/mapr/conf/ssl_keystore</value>
      <description>path to keystore file</description>
    </property>
    
    <property>
      <name>hive.server2.keystore.password</name>
      <value>mapr123</value>
      <description>keystore password</description>
    </property>
  3. To start the Spark Thriftserver, use the following command:
    /opt/mapr/spark/spark-<version>/sbin/start-thriftserver.sh --hiveconf hive.server2.thrift.port=2304 --master yarn --deploy-mode client
    The following example shows a connection string using Beeline (PAM+SSL):
    ./bin/beeline 
    Beeline version 1.2.0-mapr-1808-spark by Apache Hive
    beeline>  !connect jdbc:hive2://node1.cluster.com:2304/default;ssl=true;user=mapr;password=mapr;sslTrustStorePassword=mapr123;sslTrustStore=/opt/mapr/conf/ssl_truststore
    Connecting to jdbc:hive2://node1.cluster.com:2304/default;ssl=true;user=mapr;password=mapr;sslTrustStorePassword=mapr123;sslTrustStore=/opt/mapr/conf/ssl_truststore
    Connected to: Spark SQL (version 2.1.0-mapr-mep-3.x-1808)
    Driver: Hive JDBC (version 1.2.0-mapr-1808-spark)
    Transaction isolation: TRANSACTION_REPEATABLE_READ
    1: jdbc:hive2://node1.cluster.com:2304/defaul>