[jira] [Work logged] (HIVE-27308) Exposing client keystore and truststore passwords in the JDBC URL can be a security concern

ASF GitHub Bot (Jira) Tue, 02 May 2023 12:18:08 -0700


     [ 
https://issues.apache.org/jira/browse/HIVE-27308?focusedWorklogId=860153&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-860153
 ]


ASF GitHub Bot logged work on HIVE-27308:
-----------------------------------------

                Author: ASF GitHub Bot
            Created on: 02/May/23 19:17
            Start Date: 02/May/23 19:17
    Worklog Time Spent: 10m 
      Work Description: sonarcloud[bot] commented on PR #4282:
URL: https://github.com/apache/hive/pull/4282#issuecomment-1532017031

   Kudos, SonarCloud Quality Gate passed!&nbsp; &nbsp; [![Quality Gate 
passed](https://sonarsource.github.io/sonarcloud-github-static-resources/v2/checks/QualityGateBadge/passed-16px.png
 'Quality Gate 
passed')](https://sonarcloud.io/dashboard?id=apache_hive&pullRequest=4282)
   
   
[![Bug](https://sonarsource.github.io/sonarcloud-github-static-resources/v2/common/bug-16px.png
 
'Bug')](https://sonarcloud.io/project/issues?id=apache_hive&pullRequest=4282&resolved=false&types=BUG)
 
[![A](https://sonarsource.github.io/sonarcloud-github-static-resources/v2/checks/RatingBadge/A-16px.png
 
'A')](https://sonarcloud.io/project/issues?id=apache_hive&pullRequest=4282&resolved=false&types=BUG)
 [0 
Bugs](https://sonarcloud.io/project/issues?id=apache_hive&pullRequest=4282&resolved=false&types=BUG)
  
   
[![Vulnerability](https://sonarsource.github.io/sonarcloud-github-static-resources/v2/common/vulnerability-16px.png
 
'Vulnerability')](https://sonarcloud.io/project/issues?id=apache_hive&pullRequest=4282&resolved=false&types=VULNERABILITY)
 
[![A](https://sonarsource.github.io/sonarcloud-github-static-resources/v2/checks/RatingBadge/A-16px.png
 
'A')](https://sonarcloud.io/project/issues?id=apache_hive&pullRequest=4282&resolved=false&types=VULNERABILITY)
 [0 
Vulnerabilities](https://sonarcloud.io/project/issues?id=apache_hive&pullRequest=4282&resolved=false&types=VULNERABILITY)
  
   [![Security 
Hotspot](https://sonarsource.github.io/sonarcloud-github-static-resources/v2/common/security_hotspot-16px.png
 'Security 
Hotspot')](https://sonarcloud.io/project/security_hotspots?id=apache_hive&pullRequest=4282&resolved=false&types=SECURITY_HOTSPOT)
 
[![A](https://sonarsource.github.io/sonarcloud-github-static-resources/v2/checks/RatingBadge/A-16px.png
 
'A')](https://sonarcloud.io/project/security_hotspots?id=apache_hive&pullRequest=4282&resolved=false&types=SECURITY_HOTSPOT)
 [0 Security 
Hotspots](https://sonarcloud.io/project/security_hotspots?id=apache_hive&pullRequest=4282&resolved=false&types=SECURITY_HOTSPOT)
  
   [![Code 
Smell](https://sonarsource.github.io/sonarcloud-github-static-resources/v2/common/code_smell-16px.png
 'Code 
Smell')](https://sonarcloud.io/project/issues?id=apache_hive&pullRequest=4282&resolved=false&types=CODE_SMELL)
 
[![A](https://sonarsource.github.io/sonarcloud-github-static-resources/v2/checks/RatingBadge/A-16px.png
 
'A')](https://sonarcloud.io/project/issues?id=apache_hive&pullRequest=4282&resolved=false&types=CODE_SMELL)
 [0 Code 
Smells](https://sonarcloud.io/project/issues?id=apache_hive&pullRequest=4282&resolved=false&types=CODE_SMELL)
   
   [![No Coverage 
information](https://sonarsource.github.io/sonarcloud-github-static-resources/v2/checks/CoverageChart/NoCoverageInfo-16px.png
 'No Coverage 
information')](https://sonarcloud.io/component_measures?id=apache_hive&pullRequest=4282&metric=coverage&view=list)
 No Coverage information  
   [![No Duplication 
information](https://sonarsource.github.io/sonarcloud-github-static-resources/v2/checks/Duplications/NoDuplicationInfo-16px.png
 'No Duplication 
information')](https://sonarcloud.io/component_measures?id=apache_hive&pullRequest=4282&metric=duplicated_lines_density&view=list)
 No Duplication information
   
   




Issue Time Tracking
-------------------

    Worklog Id:     (was: 860153)
    Time Spent: 20m  (was: 10m)

> Exposing client keystore and truststore passwords in the JDBC URL can be a 
> security concern
> -------------------------------------------------------------------------------------------
>
>                 Key: HIVE-27308
>                 URL: https://issues.apache.org/jira/browse/HIVE-27308
>             Project: Hive
>          Issue Type: Improvement
>            Reporter: Venugopal Reddy K
>            Priority: Major
>              Labels: pull-request-available
>          Time Spent: 20m
>  Remaining Estimate: 0h
>
> At present, we may have the following keystore and truststore passwords in 
> the JDBC URL.
>  # trustStorePassword
>  # keyStorePassword
>  # zooKeeperTruststorePassword
>  # zooKeeperKeystorePassword
> Exposing these passwords in URL can be a security concern. Can hide all these 
> passwords from JDBC URL when we protect these passwords in a local JCEKS 
> keystore file and pass the JCEKS file to URL instead.
> 1. Leverage the hadoop credential provider 
> [Link|https://hadoop.apache.org/docs/stable/hadoop-project-dist/hadoop-common/CredentialProviderAPI.html#Overview]
>  Create aliases for these passwords in a local JCE keystore like below. Store 
> all the passwords in the same JCEKS files.
> {{hadoop credential create *keyStorePassword* -value 
> FDUxmzTxW15xWoaCk6GxLlaoHjnjV9H7iHqCIDxTwoq -provider 
> localjceks://file/tmp/store/client_creds.jceks}}
> 2. Add a new option *storePasswordPath* to JDBC URL that point to the local 
> JCE keystore file storing the password aliases. When the existing password 
> option is present in URL, can ignore to fetch that particular alias from 
> local jceks(i.e., giving preference to existing password option). And if 
> password option is not present in URL, can fetch the password from local 
> jceks.
> JDBC URL may look like: 
> {{beeline -u 
> "jdbc:hive2://kvr-host:10001/default;retries=5;ssl=true;sslTrustStore=/tmp/truststore.jks;transportMode=http;httpPath=cliservice;twoWay=true;sslKeyStore=/tmp/keystore.jks;{*}storePasswordPath=localjceks://file/tmp/client_creds.jceks;{*}"}}
> 3. Hive JDBC can fetch the passwords with 
> [Configuration.getPassword|https://hadoop.apache.org/docs/stable/api/org/apache/hadoop/conf/Configuration.html#getPassword-java.lang.String-]
>  API



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

[jira] [Work logged] (HIVE-27308) Exposing client keystore and truststore passwords in the JDBC URL can be a security concern

Reply via email to