Venugopal Reddy K created HIVE-27308:
----------------------------------------
Summary: Exposing client keystore and truststore passwords in the
JDBC URL can be a security concern
Key: HIVE-27308
URL: https://issues.apache.org/jira/browse/HIVE-27308
Project: Hive
Issue Type: Improvement
Reporter: Venugopal Reddy K
At present, we may have the following keystore and truststore passwords in the
JDBC URL.
# trustStorePassword
# keyStorePassword
# zooKeeperTruststorePassword
# zooKeeperKeystorePassword
Exposing these passwords in URL can be a security concern. Can hide all these
passwords from JDBC URL when we protect these passwords in a local JCEKS
keystore file and pass the JCEKS file to URL instead.
1. Leverage the hadoop credential provider
[Link|https://hadoop.apache.org/docs/stable/hadoop-project-dist/hadoop-common/CredentialProviderAPI.html#Overview]
Create aliases for these passwords in a local JCE keystore like below. Store
all the passwords in the same JCEKS files.
{{hadoop credential create *keyStorePassword* -value
FDUxmzTxW15xWoaCk6GxLlaoHjnjV9H7iHqCIDxTwoq -provider
localjceks://file/tmp/store/client_creds.jceks}}
2. Add a new option *storePasswordPath* to JDBC URL that point to the local JCE
keystore file storing the password aliases. When the existing password option
is present in URL, can ignore to fetch that particular alias from local
jceks(i.e., giving preference to existing password option). And if password
option is not present in URL, can fetch the password from local jceks.
JDBC URL may look like:
{{beeline -u
"jdbc:hive2://kvr-host:10001/default;retries=5;ssl=true;sslTrustStore=/tmp/truststore.jks;transportMode=http;httpPath=cliservice;twoWay=true;sslKeyStore=/tmp/keystore.jks;{*}storePasswordPath=localjceks://file/tmp/client_creds.jceks;{*}"}}
3. Hive JDBC can fetch the passwords with
[Configuration.getPassword|https://hadoop.apache.org/docs/stable/api/org/apache/hadoop/conf/Configuration.html#getPassword-java.lang.String-]
API
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
