[jira] [Work logged] (HIVE-27308) Exposing client keystore and truststore passwords in the JDBC URL can be a security concern

[ASF GitHub Bot (Jira)]

     [ 
https://issues.apache.org/jira/browse/HIVE-27308?focusedWorklogId=860148&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-860148
 ]

ASF GitHub Bot logged work on HIVE-27308:
-----------------------------------------

                Author: ASF GitHub Bot
            Created on: 02/May/23 18:06
            Start Date: 02/May/23 18:06
    Worklog Time Spent: 10m 
      Work Description: VenuReddy2103 opened a new pull request, #4282:
URL: https://github.com/apache/hive/pull/4282

   ### What changes were proposed in this pull request?
   Added a new property `storePasswordPath` to JDBC URL that point to the local 
JCE keystore file storing the password aliases. When an existing password 
property is present in URL, ignores to fetch that particular alias from local 
jceks(i.e., giving preference to existing password property). And if password 
property is not present in URL, fetches the password from local jceks file 
specified in `storePasswordPath` property.  Hive JDBC can obtains the passwords 
with 
[Configuration.getPassword](https://hadoop.apache.org/docs/stable/api/org/apache/hadoop/conf/Configuration.html#getPassword-java.lang.String-)
 API to read the password from jceks file.
   
   JDBC URL would look like - 
   `beeline -u 
"jdbc:hive2://kvr-host:10001/default;retries=5;ssl=true;sslTrustStore=/tmp/truststore.jks;transportMode=http;httpPath=cliservice;twoWay=true;sslKeyStore=/tmp/keystore.jks;**storePasswordPath=localjceks://file/tmp/client_creds.jceks;**"`
   
   ### Why are the changes needed?
   At present, we may have trustStorePassword, keyStorePassword, 
zooKeeperTruststorePassword, zooKeeperKeystorePassword passwords in the JDBC 
URL. Exposing these passwords in URL can be a security concern. We can hide all 
these passwords from JDBC URL when we protect these passwords in a local JCEKS 
keystore file and pass the JCEKS file path to URL instead.
   
   ### Does this PR introduce _any_ user-facing change?
   Optional `storePasswordPath` property is supported in JDBC URL. Existing 
`trustStorePassword, keyStorePassword, zooKeeperTruststorePassword, 
zooKeeperKeystorePassword` properties continue to exist and are supported in 
JDBC URL without any change in their behavior. When password(s) and 
storePasswordPath properties are present in URL, password(s) property is 
preferred. `storePasswordPath` property is effective only when password(s) 
property is not in JDBC URL.
   
   ### How was this patch tested?
   Tested manually




Issue Time Tracking
-------------------

            Worklog Id:     (was: 860148)
    Remaining Estimate: 0h
            Time Spent: 10m

> Exposing client keystore and truststore passwords in the JDBC URL can be a 
> security concern
> -------------------------------------------------------------------------------------------
>
>                 Key: HIVE-27308
>                 URL: https://issues.apache.org/jira/browse/HIVE-27308
>             Project: Hive
>          Issue Type: Improvement
>            Reporter: Venugopal Reddy K
>            Priority: Major
>          Time Spent: 10m
>  Remaining Estimate: 0h
>
> At present, we may have the following keystore and truststore passwords in 
> the JDBC URL.
>  # trustStorePassword
>  # keyStorePassword
>  # zooKeeperTruststorePassword
>  # zooKeeperKeystorePassword
> Exposing these passwords in URL can be a security concern. Can hide all these 
> passwords from JDBC URL when we protect these passwords in a local JCEKS 
> keystore file and pass the JCEKS file to URL instead.
> 1. Leverage the hadoop credential provider 
> [Link|https://hadoop.apache.org/docs/stable/hadoop-project-dist/hadoop-common/CredentialProviderAPI.html#Overview]
>  Create aliases for these passwords in a local JCE keystore like below. Store 
> all the passwords in the same JCEKS files.
> {{hadoop credential create *keyStorePassword* -value 
> FDUxmzTxW15xWoaCk6GxLlaoHjnjV9H7iHqCIDxTwoq -provider 
> localjceks://file/tmp/store/client_creds.jceks}}
> 2. Add a new option *storePasswordPath* to JDBC URL that point to the local 
> JCE keystore file storing the password aliases. When the existing password 
> option is present in URL, can ignore to fetch that particular alias from 
> local jceks(i.e., giving preference to existing password option). And if 
> password option is not present in URL, can fetch the password from local 
> jceks.
> JDBC URL may look like: 
> {{beeline -u 
> "jdbc:hive2://kvr-host:10001/default;retries=5;ssl=true;sslTrustStore=/tmp/truststore.jks;transportMode=http;httpPath=cliservice;twoWay=true;sslKeyStore=/tmp/keystore.jks;{*}storePasswordPath=localjceks://file/tmp/client_creds.jceks;{*}"}}
> 3. Hive JDBC can fetch the passwords with 
> [Configuration.getPassword|https://hadoop.apache.org/docs/stable/api/org/apache/hadoop/conf/Configuration.html#getPassword-java.lang.String-]
>  API



--
This message was sent by Atlassian Jira
(v8.20.10#820010)