[
https://issues.apache.org/jira/browse/HIVE-14889?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15549667#comment-15549667
]
Sergio Peña commented on HIVE-14889:
------------------------------------
I think the best approach would be to avoid printing the environment variables
on the client side as it might contain other sensitive values for users that we
don't know. However, we don't know the impact of removing this, so with your
first approach to mask all variables that contain 'password' or 'pass' works
should be good.
> Beeline leaks environment variables of HiveServer2 when you type set;
> ---------------------------------------------------------------------
>
> Key: HIVE-14889
> URL: https://issues.apache.org/jira/browse/HIVE-14889
> Project: Hive
> Issue Type: Bug
> Components: Beeline
> Reporter: Vihang Karajgaonkar
> Assignee: Vihang Karajgaonkar
>
> When you type set; beeline prints all the environment variables including
> passwords which could be major security risk. Eg: HADOOP_CREDENTIAL_PASSWORD
> below is leaked.
> {noformat}
> | env:HADOOP_CREDSTORE_PASSWORD=password |
> | env:HADOOP_DATANODE_OPTS=-Dhadoop.security.logger=ERROR,RFAS |
> | env:HADOOP_HOME_WARN_SUPPRESS=true |
> | env:HADOOP_IDENT_STRING=vihang |
> | env:HADOOP_PID_DIR= |
> {noformat}
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
