With Hive's Metastore config, we have an entry that hosts your password to authenticate against your metastore database.

This password is saved in clear-text, which looks like this:

  <property>
    <name>javax.jdo.option.ConnectionPassword</name>
    <value>password</value>
    <description>password to use against metastore database</description>
  </property>

Today, I will show you how to tighten the security a bit, and rather use a "JCEKS" keystore file to host the password, and then update our hive-site.xml config to inform the service to read the password from the keystore.

Below is the Steps:

Creating the keystore file where the metastore password will be hosted:

$ sudo hadoop credential create javax.jdo.option.ConnectionPassword -provider jceks://file/usr/lib/hive/conf/hive.jceks

Verified that the aliases for the CredentialProvider is listed:

$ sudo hadoop credential list -provider jceks://file/usr/lib/hive/conf/hive.jceks

Removed the javax.jdo.option.ConnectionPassword property and added the hadoop.security.credential.provider.path property to my hive-site.xml

$ sudo vim /etc/hive/conf/hive-site.xml

Removed:

  <property>
    <name>javax.jdo.option.ConnectionPassword</name>
    <value>password</value>
    <description>password to use against metastore database</description>
  </property>

Added:

  <property>
    <name>hadoop.security.credential.provider.path</name>
    <value>jceks://file/usr/lib/hive/conf/hive.jceks</value>
  </property>

Stopped the services

$ sudo stop hive-server2
$ sudo stop hive-hcatalog-server

Applied user and group permissions to the keystore file:

$ sudo chown hive:hadoop /usr/lib/hive/conf/hive.jceks

Started the hive-hcatalog-server service, waited until the thrift port was listening, then started hive-server2.

$ sudo start hive-hcatalog-server
$ sudo start hive-server2

Reference:
https://cwiki.apache.org/confluence/display/Hive/AdminManual+Configuration#AdminManualConfiguration-RemovingHiveMetastorePasswordfromHiveConfiguration