[
https://issues.apache.org/jira/browse/HIVE-20992?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16705507#comment-16705507
]
Morio Ramdenbourg edited comment on HIVE-20992 at 12/1/18 12:23 AM:
--------------------------------------------------------------------
Thanks for the feedback everyone. I'll keep the existing property deprecated,
while having the new properties take precedence over it.
[~vihangk1], it was mainly intended for consistency purposes, since there is
already a property
[hive.metastore.use.SSL|https://github.com/apache/hive/blob/master/standalone-metastore/metastore-common/src/main/java/org/apache/hadoop/hive/metastore/conf/MetastoreConf.java#L982-L983]
on the HMS client to HMS Service side. My intent for it was to simply use it
as a toggle for whether these new properties will be added/used or not, similar
to the logic
[here|https://github.com/apache/hive/blob/master/standalone-metastore/metastore-server/src/main/java/org/apache/hadoop/hive/metastore/HiveMetaStore.java#L9265-L9284].
It won't modify the JDO connectionURL - the _ssl=true_ part will still need to
be inputted manually on the JDO connection string.
was (Author: mramdenbourg):
Thanks for the feedback everyone. I'll keep the existing property deprecated,
while having the new properties take precedence over it.
[~vihangk1], it was mainly intended for consistency purposes, since there is
already a property
[hive.metastore.use.SSL|https://github.com/apache/hive/blob/master/standalone-metastore/metastore-common/src/main/java/org/apache/hadoop/hive/metastore/conf/MetastoreConf.java#L982-L983]
on the HMS client to HMS Service side. My intent for it was to simply use it
as a toggle for whether these new properties are set or not, similar to the
logic
[here|https://github.com/apache/hive/blob/master/standalone-metastore/metastore-server/src/main/java/org/apache/hadoop/hive/metastore/HiveMetaStore.java#L9265-L9284].
It won't modify the JDO connectionURL - the _ssl=true_ part will still need to
be inputted manually on the JDO connection string.
> Split the config "hive.metastore.dbaccess.ssl.properties" into more
> meaningful configs
> --------------------------------------------------------------------------------------
>
> Key: HIVE-20992
> URL: https://issues.apache.org/jira/browse/HIVE-20992
> Project: Hive
> Issue Type: Improvement
> Components: Metastore, Security, Standalone Metastore
> Affects Versions: 4.0.0
> Reporter: Morio Ramdenbourg
> Assignee: Morio Ramdenbourg
> Priority: Minor
>
> HIVE-13044 brought in the ability to enable TLS encryption from the HMS
> Service to the HMSDB by configuring the following two properties:
> # _javax.jdo.option.ConnectionURL_: JDBC connect string for a JDBC
> metastore. To use SSL to encrypt/authenticate the connection, provide
> database-specific SSL flag in the connection URL. (E.g.
> "jdbc:postgresql://myhost/db?ssl=true")
> # _hive.metastore.dbaccess.ssl.properties_: Comma-separated SSL properties
> for metastore to access database when JDO connection URL. (E.g.
> javax.net.ssl.trustStore=/tmp/truststore,javax.net.ssl.trustStorePassword=pwd)
> However, the latter configuration option is opaque and poses some problems.
> The most glaring of which is it takes in _any_
> [java.lang.System|https://docs.oracle.com/javase/7/docs/api/java/lang/System.html]
> system property, whether it is
> [TLS-related|https://docs.oracle.com/javase/8/docs/technotes/guides/security/jsse/JSSERefGuide.html#InstallationAndCustomization]
> or not. This can cause some unintended side-effects for other components of
> the HMS, especially if it overrides an already-set system property. If the
> user truly wishes to add an unrelated Java property, setting it statically
> using the "-D" option of the _java_ command is more appropriate. Secondly,
> the truststore password is stored in plain text. We should add Hadoop Shims
> back to the HMS to prevent exposing these passwords, but this effort can be
> done after this ticket.
> I propose we split _hive.metastore.dbaccess.ssl.properties_ into the
> following properties:
> * *_hive.metastore.dbaccess.ssl.use.SSL_*
> ** Set this to true to use TLS encryption from the HMS Service to the HMSDB
> * *_hive.metastore.dbaccess.ssl.truststore.path_*
> ** TLS truststore file location
> ** Java property: _javax.net.ssl.trustStore_
> ** E.g. _/tmp/truststore_
> * *_hive.metastore.dbaccess.ssl.truststore.password_*
> ** Password of the truststore file
> ** Java property: _javax.net.ssl.trustStorePassword_
> ** E.g. _pwd_
> * _*hive.metastore.dbaccess.ssl.truststore.type*_
> ** Type of the truststore file
> ** Java property: _javax.net.ssl.trustStoreType_
> ** E.g. _JKS_
> We should guide the user towards an easier TLS configuration experience. This
> is the minimum configuration necessary to configure TLS to the HMSDB. If we
> need other options, such as the keystore location/password for
> dual-authentication, then we can add those on afterwards.
> Also, document these changes -
> [javax.jdo.option.ConnectionURL|https://cwiki.apache.org/confluence/display/Hive/Configuration+Properties#ConfigurationProperties-javax.jdo.option.ConnectionURL]
> does not have up-to-date documentation, and these new parameters will need
> documentation as well.
> Note "TLS" refers to both SSL and TLS. TLS is simply the successor of SSL.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
