[jira] [Work logged] (HIVE-27308) Exposing client keystore and truststore passwords in the JDBC URL can be a security concern

[ASF GitHub Bot (Jira)]

     [ 
https://issues.apache.org/jira/browse/HIVE-27308?focusedWorklogId=861217&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-861217
 ]

ASF GitHub Bot logged work on HIVE-27308:
-----------------------------------------

                Author: ASF GitHub Bot
            Created on: 09/May/23 15:01
            Start Date: 09/May/23 15:01
    Worklog Time Spent: 10m 
      Work Description: VenuReddy2103 commented on PR #4282:
URL: https://github.com/apache/hive/pull/4282#issuecomment-1540314918

   @saihemanth-cloudera @dengzhhu653 Could you please help review this PR 




Issue Time Tracking
-------------------

    Worklog Id:     (was: 861217)
    Time Spent: 40m  (was: 0.5h)

> Exposing client keystore and truststore passwords in the JDBC URL can be a 
> security concern
> -------------------------------------------------------------------------------------------
>
>                 Key: HIVE-27308
>                 URL: https://issues.apache.org/jira/browse/HIVE-27308
>             Project: Hive
>          Issue Type: Improvement
>            Reporter: Venugopal Reddy K
>            Assignee: Venugopal Reddy K
>            Priority: Major
>              Labels: pull-request-available
>          Time Spent: 40m
>  Remaining Estimate: 0h
>
> At present, we may have the following keystore and truststore passwords in 
> the JDBC URL.
>  # trustStorePassword
>  # keyStorePassword
>  # zooKeeperTruststorePassword
>  # zooKeeperKeystorePassword
> Exposing these passwords in URL can be a security concern. Can hide all these 
> passwords from JDBC URL when we protect these passwords in a local JCEKS 
> keystore file and pass the JCEKS file to URL instead.
> 1. Leverage the hadoop credential provider 
> [Link|https://hadoop.apache.org/docs/stable/hadoop-project-dist/hadoop-common/CredentialProviderAPI.html#Overview]
>  Create aliases for these passwords in a local JCE keystore like below. Store 
> all the passwords in the same JCEKS files.
> {{hadoop credential create *keyStorePassword* -value 
> FDUxmzTxW15xWoaCk6GxLlaoHjnjV9H7iHqCIDxTwoq -provider 
> localjceks://file/tmp/store/client_creds.jceks}}
> 2. Add a new option *storePasswordPath* to JDBC URL that point to the local 
> JCE keystore file storing the password aliases. When the existing password 
> option is present in URL, can ignore to fetch that particular alias from 
> local jceks(i.e., giving preference to existing password option). And if 
> password option is not present in URL, can fetch the password from local 
> jceks.
> JDBC URL may look like: 
> {{beeline -u 
> "jdbc:hive2://kvr-host:10001/default;retries=5;ssl=true;sslTrustStore=/tmp/truststore.jks;transportMode=http;httpPath=cliservice;twoWay=true;sslKeyStore=/tmp/keystore.jks;{*}storePasswordPath=localjceks://file/tmp/client_creds.jceks;{*}"}}
> 3. Hive JDBC can fetch the passwords with 
> [Configuration.getPassword|https://hadoop.apache.org/docs/stable/api/org/apache/hadoop/conf/Configuration.html#getPassword-java.lang.String-]
>  API



--
This message was sent by Atlassian Jira
(v8.20.10#820010)