With Hive's Metastore config, we have an entry that hosts your password to authenticate against your metastore database.
This password is saved in clear-text, which looks like this:
<property>
<name>javax.jdo.option.ConnectionPassword</name>
<value>password</value>
<description>password to use against metastore database</description>
</property>
Today, I will show you how to tighten the security a bit, and rather use a "JCEKS" keystore file to host the password, and then update our hive-site.xml
config to inform the service to read the password from the keystore.
Below is the Steps:
Creating the keystore file where the metastore password will be hosted:
$ sudo hadoop credential create javax.jdo.option.ConnectionPassword -provider jceks://file/usr/lib/hive/conf/hive.jceks
Verified that the aliases for the CredentialProvider is listed:
$ sudo hadoop credential list -provider jceks://file/usr/lib/hive/conf/hive.jceks
Removed the javax.jdo.option.ConnectionPassword
property and added the hadoop.security.credential.provider.path
property to my hive-site.xml
$ sudo vim /etc/hive/conf/hive-site.xml
Removed:
<property>
<name>javax.jdo.option.ConnectionPassword</name>
<value>password</value>
<description>password to use against metastore database</description>
</property>
Added:
<property>
<name>hadoop.security.credential.provider.path</name>
<value>jceks://file/usr/lib/hive/conf/hive.jceks</value>
</property>
Stopped the services
$ sudo stop hive-server2
$ sudo stop hive-hcatalog-server
Applied user and group permissions to the keystore file:
$ sudo chown hive:hadoop /usr/lib/hive/conf/hive.jceks
Started the hive-hcatalog-server
service, waited until the thrift port was listening, then started hive-server2
.
$ sudo start hive-hcatalog-server
$ sudo start hive-server2
Comments