You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@hive.apache.org by "ASF GitHub Bot (Jira)" <ji...@apache.org> on 2023/05/02 18:07:00 UTC

[jira] [Work logged] (HIVE-27308) Exposing client keystore and truststore passwords in the JDBC URL can be a security concern

     [ https://issues.apache.org/jira/browse/HIVE-27308?focusedWorklogId=860148&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-860148 ]

ASF GitHub Bot logged work on HIVE-27308:
-----------------------------------------

                Author: ASF GitHub Bot
            Created on: 02/May/23 18:06
            Start Date: 02/May/23 18:06
    Worklog Time Spent: 10m 
      Work Description: VenuReddy2103 opened a new pull request, #4282:
URL: https://github.com/apache/hive/pull/4282

   ### What changes were proposed in this pull request?
   Added a new property `storePasswordPath` to JDBC URL that point to the local JCE keystore file storing the password aliases. When an existing password property is present in URL, ignores to fetch that particular alias from local jceks(i.e., giving preference to existing password property). And if password property is not present in URL, fetches the password from local jceks file specified in `storePasswordPath` property.  Hive JDBC can obtains the passwords with [Configuration.getPassword](https://hadoop.apache.org/docs/stable/api/org/apache/hadoop/conf/Configuration.html#getPassword-java.lang.String-) API to read the password from jceks file.
   
   JDBC URL would look like - 
   `beeline -u "jdbc:hive2://kvr-host:10001/default;retries=5;ssl=true;sslTrustStore=/tmp/truststore.jks;transportMode=http;httpPath=cliservice;twoWay=true;sslKeyStore=/tmp/keystore.jks;**storePasswordPath=localjceks://file/tmp/client_creds.jceks;**"`
   
   ### Why are the changes needed?
   At present, we may have trustStorePassword, keyStorePassword, zooKeeperTruststorePassword, zooKeeperKeystorePassword passwords in the JDBC URL. Exposing these passwords in URL can be a security concern. We can hide all these passwords from JDBC URL when we protect these passwords in a local JCEKS keystore file and pass the JCEKS file path to URL instead.
   
   ### Does this PR introduce _any_ user-facing change?
   Optional `storePasswordPath` property is supported in JDBC URL. Existing `trustStorePassword, keyStorePassword, zooKeeperTruststorePassword, zooKeeperKeystorePassword` properties continue to exist and are supported in JDBC URL without any change in their behavior. When password(s) and storePasswordPath properties are present in URL, password(s) property is preferred. `storePasswordPath` property is effective only when password(s) property is not in JDBC URL.
   
   ### How was this patch tested?
   Tested manually




Issue Time Tracking
-------------------

            Worklog Id:     (was: 860148)
    Remaining Estimate: 0h
            Time Spent: 10m

> Exposing client keystore and truststore passwords in the JDBC URL can be a security concern
> -------------------------------------------------------------------------------------------
>
>                 Key: HIVE-27308
>                 URL: https://issues.apache.org/jira/browse/HIVE-27308
>             Project: Hive
>          Issue Type: Improvement
>            Reporter: Venugopal Reddy K
>            Priority: Major
>          Time Spent: 10m
>  Remaining Estimate: 0h
>
> At present, we may have the following keystore and truststore passwords in the JDBC URL.
>  # trustStorePassword
>  # keyStorePassword
>  # zooKeeperTruststorePassword
>  # zooKeeperKeystorePassword
> Exposing these passwords in URL can be a security concern. Can hide all these passwords from JDBC URL when we protect these passwords in a local JCEKS keystore file and pass the JCEKS file to URL instead.
> 1. Leverage the hadoop credential provider [Link|https://hadoop.apache.org/docs/stable/hadoop-project-dist/hadoop-common/CredentialProviderAPI.html#Overview] Create aliases for these passwords in a local JCE keystore like below. Store all the passwords in the same JCEKS files.
> {{hadoop credential create *keyStorePassword* -value FDUxmzTxW15xWoaCk6GxLlaoHjnjV9H7iHqCIDxTwoq -provider localjceks://file/tmp/store/client_creds.jceks}}
> 2. Add a new option *storePasswordPath* to JDBC URL that point to the local JCE keystore file storing the password aliases. When the existing password option is present in URL, can ignore to fetch that particular alias from local jceks(i.e., giving preference to existing password option). And if password option is not present in URL, can fetch the password from local jceks.
> JDBC URL may look like: 
> {{beeline -u "jdbc:hive2://kvr-host:10001/default;retries=5;ssl=true;sslTrustStore=/tmp/truststore.jks;transportMode=http;httpPath=cliservice;twoWay=true;sslKeyStore=/tmp/keystore.jks;{*}storePasswordPath=localjceks://file/tmp/client_creds.jceks;{*}"}}
> 3. Hive JDBC can fetch the passwords with [Configuration.getPassword|https://hadoop.apache.org/docs/stable/api/org/apache/hadoop/conf/Configuration.html#getPassword-java.lang.String-] API



--
This message was sent by Atlassian Jira
(v8.20.10#820010)