[
https://issues.apache.org/jira/browse/HIVE-25929?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17490765#comment-17490765
]
László Bodor commented on HIVE-25929:
-------------------------------------
thanks [~asolimando], makes sense
{code}
For the first option, I'd rather set it to
"fs.azure.account.oauth2.client.secret" + the S3 counterpart, and use
"hive.conf.hidden.list" in SetProcessor and remove ("hive.conf.hidden.list"
minus "fs.azure.account.oauth2.client.secret") from the config sent to the
executors (by changing "stripHiddenConfigurations").
{code}
so you would use new property to declare "exclusion from hidden list", like
"forcing properties to be propagated"...this seems more convenient, as we need
to declare less variables here (only secrets needed by execution engines), but
we need to be as convenient with naming as possible, as excluding something
from and exclusion/hidden list is already confusing for the first sight
could it be like:
"hive.conf.hidden.list.exclusion.exec.engines" <-- I don't like this either,
maybe it would be easier to find a better name if I didn't want to force the
original scope ("conf.hidden.list") to appear
so from this point of view: "hive.conf.propagate.exec.engines"
default value: ''
and I'll take care of making a clear explanation in HiveConf
> Let secret config properties to be propagated to Tez
> ----------------------------------------------------
>
> Key: HIVE-25929
> URL: https://issues.apache.org/jira/browse/HIVE-25929
> Project: Hive
> Issue Type: Bug
> Reporter: László Bodor
> Assignee: László Bodor
> Priority: Major
>
> History in chronological order:
> HIVE-10508: removed some passwords from config that's propagated to execution
> engines
> HIVE-9013: introduced hive.conf.hidden.list, which is used instead of the
> hardcoded list in HIVE-10508
> the problem with HIVE-9013 is it's about to introduce a common method for
> removing sensitive data from Configuration, which absolutely makes sense in
> most of the cases (set command showing sensitive data), but can cause issues
> e.g. while using non-secure cloud connectors on a cluster, where instead of
> the hadoop credential provider API (which is considered the secure and proper
> way), passwords/secrets appear in the Configuration object (like:
> "fs.azure.account.oauth2.client.secret")
> 2 possible solutions:
> 1. introduce a new property like: "hive.conf.hidden.list.exec.engines" ->
> which defaults to "hive.conf.hidden.list" (configurable, but maybe just more
> confusing to users, having a new config property which should be understood
> and maintained on a cluster)
> 2. simply revert DAGUtils to use to old stripHivePasswordDetails introduced
> by HIVE-10508 (convenient, less confusing for users, but cannot be configured)
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
