Configuring Spark Thrift Server Encryption

Spark Thrift server encryption is supported when authentication is enabled. You can configure encryption with MapR-SASL or with SSL/TLS.

Configuring Encryption with MapR-SASL or Kerberos

Starting in EEP 4.0, for secure clusters, you can skip the steps outlined in this section. For new installs done using Data Fabric Installer, the Installer enables this configuration. For manual installs and upgrades, running configure.sh -R enables these settings.

To manually configure encryption with MapR-SASL or Kerberos authentication on a non-secure cluster or in versions earlier than EEP 4.0, complete the following steps:

Set the hive.server2.thrift.sasl.qop property in hive-site.xml to the value auth-conf. The SASL Quality of Protection (QOP), or sasl.qop, setting and the authentication with confidentiality (auth-conf) value support authentication:
```
<property>
    <name>hive.server2.thrift.sasl.qop</name>
    <value>auth-conf</value>
</property>
```
Restart Spark Thrift server to apply the change:

IMPORTANT
The cluster administrative user (generally, the account named mapr) should start Spark Thrift server. Then, process identifier (PID) files are owned by this user, and impersonation support (where applicable) functions correctly.
```
./sbin/stop-thriftserver.sh
./sbin/start-thriftserver.sh
```

Configuring Encryption with SSL/TLS

To enable encryption with SSL/TLS:

Add the following properties to the /opt/mapr/spark/spark-<version>/conf/spark-defaults.conf file:

spark.ssl.enabled true
spark.ssl.fs.enabled true
spark.ssl.trustStore /opt/mapr/conf/ssl_truststore
spark.ssl.keyStore /opt/mapr/conf/ssl_keystore
spark.ssl.protocol TLSv1.2
spark.ssl.keyStorePassword      mapr123
spark.ssl.trustStorePassword    mapr123

After the properties are added, event logs will indicate that the job is encrypted.

To connect using Beeline with encryption, add the following properties to the /opt/mapr/spark/spark-<version>/conf/hive-site.xml file:

<property>
  <name>hive.server2.use.SSL</name>
  <value>true</value>
  <description>enable/disable SSL </description>
</property>

<property>
  <name>hive.server2.keystore.path</name>
  <value>/opt/mapr/conf/ssl_keystore</value>
  <description>path to keystore file</description>
</property>

<property>
  <name>hive.server2.keystore.password</name>
  <value>mapr123</value>
  <description>keystore password</description>
</property>

To start the Spark Thriftserver, use the following command:

/opt/mapr/spark/spark-<version>/sbin/start-thriftserver.sh --hiveconf hive.server2.thrift.port=2304 --master yarn --deploy-mode client

The following example shows a connection string using Beeline (PAM+SSL):

./bin/beeline 
Beeline version 1.2.0-mapr-1808-spark by Apache Hive
beeline>  !connect jdbc:hive2://node1.cluster.com:2304/default;ssl=true;user=mapr;password=mapr;sslTrustStorePassword=mapr123;sslTrustStore=/opt/mapr/conf/ssl_truststore
Connecting to jdbc:hive2://node1.cluster.com:2304/default;ssl=true;user=mapr;password=mapr;sslTrustStorePassword=mapr123;sslTrustStore=/opt/mapr/conf/ssl_truststore
Connected to: Spark SQL (version 2.1.0-mapr-mep-3.x-1808)
Driver: Hive JDBC (version 1.2.0-mapr-1808-spark)
Transaction isolation: TRANSACTION_REPEATABLE_READ
1: jdbc:hive2://node1.cluster.com:2304/defaul>

HPE Ezmeral Data Fabric – Customer-Managed 7.9.0 Documentation
Abstract	This site contains documentation for the customer-managed platform of the HPE Ezmeral Data Fabric version 7.9.0 including installation, configuration, administration, and reference content, as well as content for the associated bundled ecosystem components and drivers.
Published	November 2024
Edition	7.9.0