Morio Ramdenbourg created HIVE-20992:
----------------------------------------
Summary: Split the config "hive.metastore.dbaccess.ssl.properties"
into more meaningful configs
Key: HIVE-20992
URL: https://issues.apache.org/jira/browse/HIVE-20992
Project: Hive
Issue Type: Improvement
Components: Metastore, Security, Standalone Metastore
Affects Versions: 4.0.0
Reporter: Morio Ramdenbourg
Assignee: Morio Ramdenbourg
HIVE-13044 brought in the ability to enable TLS encryption from the HMS Service
to the HMSDB by configuring the following two properties:
# _javax.jdo.option.ConnectionURL_: JDBC connect string for a JDBC metastore.
To use SSL to encrypt/authenticate the connection, provide database-specific
SSL flag in the connection URL. (E.g. "jdbc:postgresql://myhost/db?ssl=true")
# _hive.metastore.dbaccess.ssl.properties_: Comma-separated SSL properties for
metastore to access database when JDO connection URL. (E.g.
javax.net.ssl.trustStore=/tmp/truststore,javax.net.ssl.trustStorePassword=pwd)
However, the latter configuration option is opaque and poses some problems. The
most glaring of which is it takes in _any_
[java.lang.System|https://docs.oracle.com/javase/7/docs/api/java/lang/System.html]
system property, whether it is
[TLS-related|https://docs.oracle.com/javase/8/docs/technotes/guides/security/jsse/JSSERefGuide.html#InstallationAndCustomization]
or not. This can cause some unintended side-effects for other components of
the HMS, especially if it overrides an already-set system property. If the user
truly wishes to add an unrelated Java property, setting it statically using the
"-D" option of the _java_ command is more appropriate.
I propose we split _hive.metastore.dbaccess.ssl.properties_ into the following
properties:
* *_hive.metastore.dbaccess.ssl.use.SSL_* - Set this to true to use TLS
encryption from the HMS Service to the HMSDB
* *_hive.metastore.dbaccess.ssl.truststore.path_* - TLS truststore file
location
* *_hive.metastore.dbaccess.ssl.truststore.password_* - Password of the
truststore file
We should guide the user towards an easier TLS configuration experience. This
is the minimum requirement to configure TLS to the HMSDB. If we need other
options, such as the keystore location/password for dual-authentication, then
we can add those on afterwards.
Also, document these changes -
[javax.jdo.option.ConnectionURL|https://cwiki.apache.org/confluence/display/Hive/Configuration+Properties#ConfigurationProperties-javax.jdo.option.ConnectionURL]
does not have up-to-date documentation, and these new parameters will need
documentation as well.
Note "TLS" refers to both SSL and TLS. TLS is simply the successor of SSL.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
