[
https://issues.apache.org/jira/browse/HIVE-20992?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16713566#comment-16713566
]
Morio Ramdenbourg commented on HIVE-20992:
------------------------------------------
Also, adding Shims back is not necessary. The method
[MetastoreConf.getPassword()|https://github.com/apache/hive/blob/master/standalone-metastore/metastore-common/src/main/java/org/apache/hadoop/hive/metastore/conf/MetastoreConf.java#L1695-L1711]
takes care of this for us. It already handles secure password access, and
automatically checks from the CredentialsProvider.
> Split the config "hive.metastore.dbaccess.ssl.properties" into more
> meaningful configs
> --------------------------------------------------------------------------------------
>
> Key: HIVE-20992
> URL: https://issues.apache.org/jira/browse/HIVE-20992
> Project: Hive
> Issue Type: Improvement
> Components: Metastore, Security, Standalone Metastore
> Affects Versions: 4.0.0
> Reporter: Morio Ramdenbourg
> Assignee: Morio Ramdenbourg
> Priority: Minor
> Attachments: HIVE-20992.patch
>
>
> HIVE-13044 brought in the ability to enable TLS encryption from the HMS
> Service to the HMSDB by configuring the following two properties:
> # _javax.jdo.option.ConnectionURL_: JDBC connect string for a JDBC
> metastore. To use SSL to encrypt/authenticate the connection, provide
> database-specific SSL flag in the connection URL. (E.g.
> "jdbc:postgresql://myhost/db?ssl=true")
> # _hive.metastore.dbaccess.ssl.properties_: Comma-separated SSL properties
> for metastore to access database when JDO connection URL. (E.g.
> javax.net.ssl.trustStore=/tmp/truststore,javax.net.ssl.trustStorePassword=pwd)
> However, the latter configuration option is opaque and poses some problems.
> The most glaring of which is it takes in _any_
> [java.lang.System|https://docs.oracle.com/javase/7/docs/api/java/lang/System.html]
> system property, whether it is
> [TLS-related|https://docs.oracle.com/javase/8/docs/technotes/guides/security/jsse/JSSERefGuide.html#InstallationAndCustomization]
> or not. This can cause some unintended side-effects for other components of
> the HMS, especially if it overrides an already-set system property. If the
> user truly wishes to add an unrelated Java property, setting it statically
> using the "-D" option of the _java_ command is more appropriate. Secondly,
> the truststore password is stored in plain text. We should add Hadoop Shims
> back to the HMS to prevent exposing these passwords, but this effort can be
> done after this ticket.
> I propose we deprecate _hive.metastore.dbaccess.ssl.properties_, and add the
> following properties:
> * *_hive.metastore.dbaccess.use.SSL_*
> ** Set this to true to for using SSL/TLS encryption from the HMS Service to
> the HMS backend store
> ** Default: false
> * *_javax.net.ssl.trustStore_*
> ** Truststore location
> ** Default: None
> ** E.g. _/tmp/truststore_
> * *_javax.net.ssl.trustStorePassword_*
> ** Truststore password
> ** Default: None
> ** E.g. _password_
> * *_javax.net.ssl.trustStoreType_*
> ** Truststore type
> ** Default: JKS
> ** E.g. _pkcs12_
> We should guide the user towards an easier TLS configuration experience. This
> is the minimum configuration necessary to configure TLS to the HMSDB. If we
> need other options, such as the keystore location/password for
> dual-authentication, then we can add those on afterwards.
> Also, document these changes -
> [javax.jdo.option.ConnectionURL|https://cwiki.apache.org/confluence/display/Hive/Configuration+Properties#ConfigurationProperties-javax.jdo.option.ConnectionURL]
> does not have up-to-date documentation, and these new parameters will need
> documentation as well.
> Note "TLS" refers to both SSL and TLS. TLS is simply the successor of SSL.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
