Hive Password Encryption

EEP 4.0 introduces default configuration for Hive Metastore password encryption using the Data Fabric Installer. The password is stored in the hive-site.xml file.

EEP 4.0 introduces default configuration for Hive Metastore password encryption using the Data Fabric Installer. The password is stored in the hive-site.xml file.

NOTE
For Hive-2.1 (EEP-5.0.0 and later) and Hive-2.3 (EEP-6.0.0 and later) installed using the Data Fabric Installer, javax.jdo.option.ConnectionPassword is automatically encrypted.
<property>
  <name>javax.jdo.option.ConnectionPassword<name>
  <value>{password}<value>
<property>

The hadoop.security.credential.provider.path configuration property replaces the javax.jdo.option.ConnectionPassword property in the hive-site.xml file that contains the path to the keystore file created by the Hadoop Crediential Provider. Credential providers store and protect passwords out of clear text for the underlying database. By default, the Data Fabric Installer creates the keystore file in the Data Fabric file system. /user/${MAPR_USER}/hivemetastore.jceks.

NOTE
Starting from Hive-2.3 EEP 6.0.0, SSL keystore passwords, hive.server2.webui.keystore.password, hive.server2.keystore.password, and templeton.keystore.password, are automatically read from the /opt/mapr/conf/ssl-client.xml file without any additional steps from your side. But you can still encrypt them manually and store them in the *jceks files.

Reset Data Fabric Installer Default Configuration

To remove changes made by the Data Fabric Installer and reset Hive to its default setting:

  1. Open the hive-site.xml file.
  2. Delete the hadoop.security.credential.provider.path property.
  3. Add the javax.jdo.option.ConnectionPassword property.
  4. Save and close the hive-site.xml file.

Manual Password Encryption

NOTE
For any user to use Hive, the keystore file requires read permission (644). To limit keystore file access to a smaller number of Hive users, modify permissions as necessary.
ATTENTION
When you wish to run the hadoop credential command for provisioning a password or secret to a particular credential store provider, use the -provider command line option to explicitly indicate which provider store to use. If a path of multiple providers is given, the first non-transient provider will be used. Note that this provider may or may not be the one that you intended to use.

To encrypt a password manually:

  1. Create the keystore file using the Hadoop Credential Provider as follows: 
    hadoop credential create javax.jdo.option.ConnectionPassword -provider <path-to-keystore>
    Where <path-to-keystore> is jceks://<file-system-name>/<path-to-keystore>.
    For example, jceks://maprfs/user/mapr/hivemetastore.jceks
    NOTE
    On running the command, you are prompted to enter and re-enter the password to encrypt. Once you provide the password and confirm the password, the javax.jdo.option.ConnectionPassword is created and the org.apache.hadoop.security.alias.JavaKeyStoreProvider is updated.
  2. Delete the javax.jdo.option.ConnectionPassword property in the hive-site.xml file: 
    <property>
  <name>javax.jdo.option.ConnectionPassword</name>
  <value>{yourpassword}</value>
</property>
  3. Add the hadoop.security.credential.provider.path property to the /opt/mapr/hive/<hive-release-version>/conf/hive-site.xml file:
    <property>
  <name>hadoop.security.credential.provider.path</name>
  <value>jceks://maprfs/user/mapr/hivemetastore.jceks</value>
  <description>specify password to use against metastore database here</description>
</property>
  4. Restart the Hive services to update the configuration:
    maprcli node services -name hivemeta -action restart -nodes `hostname -f`
maprcli node services -name hs2 -action restart -nodes `hostname -f`
maprcli node services -name hcat -action restart -nodes `hostname -f`

Encrypt the Oozie Database Password

Follow the steps given below to encrypt the Oozie database password:
  1. Configure Oozie to use a MySQL database as described in Configure a MySQL Data Store for Oozie.
  2. Optionally, export the Hadoop credential store password as a system variable:$ export HADOOP_CREDSTORE_PASSWORD=password.
  3. Add oozie.service.jpaservice.jdbc.password to the jceks keystore:
    $ hadoop credential create oozie.service.jpaservice.jdbc.password -provider jceks://path/to/oozie.jceks
Enter the password:
Enter the password again:
oozie.service.jpaservice.jdbc.password has been successfully created.
org.apache.hadoop.security.alias.JavaKeyStoreProvider has been updated.
  4. Verify that the MySQL password was added:
    Keystore type: JCEKS
Keystore provider: SunJCE
            
Your keystore contains 1 entry
            
Alias name: oozie.service.jpaservice.jdbc.password
Creation date: Apr 11, 2018
Entry type: SecretKeyEntry
  5. Once the jceks file is created, add the hadoop.security.credential.provider.path property to the oozie-site.xml file with the path to the jceks file. The jceks path location can be maprfs or a local file (local-fs).
    <property>
   <name>hadoop.security.credential.provider.path</name>
   <value>jceks://path/to/oozie.jceks</value>
</property>
  6. Update the password property to use ***** instead of a word-readable password:
    <property>
  <name>oozie.service.JPAService.jdbc.password</name>
  <value>*****</value>
</property>