You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@hive.apache.org by "Todd Nemet (JIRA)" <ji...@apache.org> on 2015/04/03 20:39:53 UTC

[jira] [Created] (HIVE-10211) Hive2 JDBC connection errors can leak database credential information

Todd Nemet created HIVE-10211:
---------------------------------

             Summary: Hive2 JDBC connection errors can leak database credential information
                 Key: HIVE-10211
                 URL: https://issues.apache.org/jira/browse/HIVE-10211
             Project: Hive
          Issue Type: Improvement
          Components: JDBC
    Affects Versions: 0.14.0
            Reporter: Todd Nemet
            Priority: Minor


In jdbc/src/java/org/apache/hive/jdbc/HiveConnection.java, the string returned when there is an exception includes the entire JDBC connection string. This can leak credential information if there is a problem like a network error.

In our application (Looker) we have to capture every area where an exception can occur and filter out the password. It would be better if the driver took care of this by replacing the password with something like [FILTERED]. 

Here is an example string:
Java::JavaSql::SQLException: Could not open connection to jdbc:hive2://localhost:21050/;user=test;password=secret: java.net.ConnectException: Connection refused



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)