[
https://issues.apache.org/jira/browse/HIVE-20992?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Morio Ramdenbourg updated HIVE-20992:
-------------------------------------
Attachment: HIVE-20992.6.patch
Status: Patch Available (was: In Progress)
> Split the config "hive.metastore.dbaccess.ssl.properties" into more
> meaningful configs
> --------------------------------------------------------------------------------------
>
> Key: HIVE-20992
> URL: https://issues.apache.org/jira/browse/HIVE-20992
> Project: Hive
> Issue Type: Improvement
> Components: Metastore, Security, Standalone Metastore
> Affects Versions: 4.0.0
> Reporter: Morio Ramdenbourg
> Assignee: Morio Ramdenbourg
> Priority: Minor
> Attachments: HIVE-20992.2.patch, HIVE-20992.3.patch,
> HIVE-20992.4.patch, HIVE-20992.5.patch, HIVE-20992.6.patch, HIVE-20992.patch
>
>
> HIVE-13044 brought in the ability to enable TLS encryption from the HMS
> Service to the HMSDB by configuring the following two properties:
> # _javax.jdo.option.ConnectionURL_: JDBC connect string for a JDBC
> metastore. To use SSL to encrypt/authenticate the connection, provide
> database-specific SSL flag in the connection URL. (E.g.
> "jdbc:postgresql://myhost/db?ssl=true")
> # _hive.metastore.dbaccess.ssl.properties_: Comma-separated SSL properties
> for metastore to access database when JDO connection URL. (E.g.
> javax.net.ssl.trustStore=/tmp/truststore,javax.net.ssl.trustStorePassword=pwd)
> However, the latter configuration option is opaque and poses some problems.
> The most glaring of which is it takes in _any_
> [java.lang.System|https://docs.oracle.com/javase/7/docs/api/java/lang/System.html]
> system property, whether it is
> [TLS-related|https://docs.oracle.com/javase/8/docs/technotes/guides/security/jsse/JSSERefGuide.html#InstallationAndCustomization]
> or not. This can cause some unintended side-effects for other components of
> the HMS, especially if it overrides an already-set system property. If the
> user truly wishes to add an unrelated Java property, setting it statically
> using the "-D" option of the _java_ command is more appropriate. Secondly,
> the truststore password is stored in plain text. We should add Hadoop Shims
> back to the HMS to prevent exposing these passwords, but this effort can be
> done after this ticket.
> I propose we deprecate _hive.metastore.dbaccess.ssl.properties_, and add the
> following properties:
> * *_hive.metastore.dbaccess.ssl.use.SSL (metastore.dbaccess.ssl.use.SSL)_*
> ** Set this to true to for using SSL/TLS encryption from the HMS Service to
> the HMS backend store
> ** Default: false
> * _*hive.metastore.dbaccess.ssl.truststore.path
> (metastore.dbaccess.ssl.truststore.path)*_
> ** Truststore location
> ** Directly maps to _javax.net.ssl.trustStore_ System property
> ** Default: None
> ** E.g. _/tmp/truststore_
> * *_hive.metastore.dbaccess.ssl.truststore.password
> (metastore.dbaccess.ssl.truststore.password)_*
> ** Truststore password
> ** Directly maps to _javax.net.ssl.trustStorePassword_ System property
> ** Default: None
> ** E.g. _password_
> * *_hive.metastore.dbaccess.ssl.truststore.type
> (metastore.dbaccess.ssl.truststore.type)_*
> ** Truststore type
> ** Directly maps to _javax.net.ssl.trustStoreType_ System property
> ** Default: JKS
> ** E.g. _pkcs12_
> We should guide the user towards an easier TLS configuration experience. This
> is the minimum configuration necessary to configure TLS to the HMSDB. If we
> need other options, such as the keystore location/password for
> dual-authentication, then we can add those on afterwards.
> Also, document these changes -
> [javax.jdo.option.ConnectionURL|https://cwiki.apache.org/confluence/display/Hive/Configuration+Properties#ConfigurationProperties-javax.jdo.option.ConnectionURL]
> does not have up-to-date documentation, and these new parameters will need
> documentation as well.
> Note "TLS" refers to both SSL and TLS. TLS is simply the successor of SSL.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
