You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@drill.apache.org by "John Omernik (JIRA)" <ji...@apache.org> on 2015/10/01 17:54:26 UTC

[jira] [Created] (DRILL-3880) sqlline does not allow for a password prompt - security issue

John Omernik created DRILL-3880:
-----------------------------------

             Summary: sqlline does not allow for a password prompt - security issue
                 Key: DRILL-3880
                 URL: https://issues.apache.org/jira/browse/DRILL-3880
             Project: Apache Drill
          Issue Type: Improvement
          Components: Client - CLI
    Affects Versions: 1.1.0
            Reporter: John Omernik
             Fix For: Future


When authentication is enabled in drill, and using sqlline, there is no way to get the sqlline client to prompt for a password. The only option is to specify the password at the command line (-n user -p password) or to log in and then connect.  

This is a security risk, in that now the .bash_history contains the user's password, defeating accountability on the system.  Hive and MYSQL both allow for a -p flag with no value to trigger a prompt for the password that is not logged by .bash_history. 

One work around is to connect after starting sqlline, however, if the sqlline command offers a way to specify the username/password, we should do it in a way that doesn't violate security principles. 





--
This message was sent by Atlassian JIRA
(v6.3.4#6332)