You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@drill.apache.org by "John Omernik (JIRA)" <ji...@apache.org> on 2015/10/01 17:54:26 UTC
[jira] [Created] (DRILL-3880) sqlline does not allow for a password
prompt - security issue
John Omernik created DRILL-3880:
-----------------------------------
Summary: sqlline does not allow for a password prompt - security issue
Key: DRILL-3880
URL: https://issues.apache.org/jira/browse/DRILL-3880
Project: Apache Drill
Issue Type: Improvement
Components: Client - CLI
Affects Versions: 1.1.0
Reporter: John Omernik
Fix For: Future
When authentication is enabled in drill, and using sqlline, there is no way to get the sqlline client to prompt for a password. The only option is to specify the password at the command line (-n user -p password) or to log in and then connect.
This is a security risk, in that now the .bash_history contains the user's password, defeating accountability on the system. Hive and MYSQL both allow for a -p flag with no value to trigger a prompt for the password that is not logged by .bash_history.
One work around is to connect after starting sqlline, however, if the sqlline command offers a way to specify the username/password, we should do it in a way that doesn't violate security principles.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)