[
https://issues.apache.org/jira/browse/HIVE-20796?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16662329#comment-16662329
]
Laszlo Pinter edited comment on HIVE-20796 at 10/24/18 2:12 PM:
----------------------------------------------------------------
Indeed, it is similar, but I was thinking of different scenario. In the
hive-site.xml you can provide the connection url and the credentials as
different entries
{code:xml}
<property>
<name>javax.jdo.option.ConnectionURL</name>
<value>jdbc:derby:memory:${test.tmp.dir}/junit_metastore_db;create=true</value>
</property>
<property>
<name>javax.jdo.option.ConnectionUserName</name>
<value>username</value>
</property>
<property>
<name>javax.jdo.option.ConnectionPassword</name>
<value>password</value>
</property>
{code}
But it is possible to specify the credentials as part of the connection url
{code:xml}
<property>
<name>javax.jdo.option.ConnectionURL</name>
<value>jdbc:derby:memory:${test.tmp.dir}/junit_metastore_db;create=true;username=username;password=password</value>
</property>
{code}
While overriding the default configuration values from jpox.properties, the old
and new entries are logged out (ObjectStore#getDataSourceProps())
{code:java}
if (MetastoreConf.isPrintable(varName)) {
LOG.debug("Overriding {} value {} from jpox.properties with {}",
varName, prevVal, confVal);
}
{code}
Since the jdbc url is not marked as unprintable, all of it contents will be
written to debug log.
was (Author: lpinter):
Indeed is similar, but I was thinking of different scenario. In the
hive-site.xml you can provide the connection url and the credentials as
different entries
{code:xml}
<property>
<name>javax.jdo.option.ConnectionURL</name>
<value>jdbc:derby:memory:${test.tmp.dir}/junit_metastore_db;create=true</value>
</property>
<property>
<name>javax.jdo.option.ConnectionUserName</name>
<value>username</value>
</property>
<property>
<name>javax.jdo.option.ConnectionPassword</name>
<value>password</value>
</property>
{code}
But it is possible to specify the credentials as part of the connection url
{code:xml}
<property>
<name>javax.jdo.option.ConnectionURL</name>
<value>jdbc:derby:memory:${test.tmp.dir}/junit_metastore_db;create=true;username=username;password=password</value>
</property>
{code}
While overriding the default configuration values from jpox.properties, the old
and new entries are logged out (ObjectStore#getDataSourceProps())
{code:java}
if (MetastoreConf.isPrintable(varName)) {
LOG.debug("Overriding {} value {} from jpox.properties with {}",
varName, prevVal, confVal);
}
{code}
Since the jdbc url is not marked as unprintable, all of it contents will be
written to debug log.
> jdbc URL can contain sensitive information that should not be logged
> --------------------------------------------------------------------
>
> Key: HIVE-20796
> URL: https://issues.apache.org/jira/browse/HIVE-20796
> Project: Hive
> Issue Type: Improvement
> Components: Hive
> Affects Versions: 4.0.0
> Reporter: Laszlo Pinter
> Assignee: Laszlo Pinter
> Priority: Major
>
> It is possible to put passwords in the jdbc connection url and some jdbc
> drivers will supposedly use that. (derby, mysql). This information is
> considered sensitive, and should be masked out, while logging the connection
> url.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
