You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@hive.apache.org by "Morio Ramdenbourg (JIRA)" <ji...@apache.org> on 2018/12/01 00:24:00 UTC
[jira] [Comment Edited] (HIVE-20992) Split the config
"hive.metastore.dbaccess.ssl.properties" into more meaningful configs
[ https://issues.apache.org/jira/browse/HIVE-20992?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16705507#comment-16705507 ]
Morio Ramdenbourg edited comment on HIVE-20992 at 12/1/18 12:23 AM:
--------------------------------------------------------------------
Thanks for the feedback everyone. I'll keep the existing property deprecated, while having the new properties take precedence over it.
[~vihangk1], it was mainly intended for consistency purposes, since there is already a property [hive.metastore.use.SSL|https://github.com/apache/hive/blob/master/standalone-metastore/metastore-common/src/main/java/org/apache/hadoop/hive/metastore/conf/MetastoreConf.java#L982-L983] on the HMS client to HMS Service side. My intent for it was to simply use it as a toggle for whether these new properties will be added/used or not, similar to the logic [here|https://github.com/apache/hive/blob/master/standalone-metastore/metastore-server/src/main/java/org/apache/hadoop/hive/metastore/HiveMetaStore.java#L9265-L9284]. It won't modify the JDO connectionURL - the _ssl=true_ part will still need to be inputted manually on the JDO connection string.
was (Author: mramdenbourg):
Thanks for the feedback everyone. I'll keep the existing property deprecated, while having the new properties take precedence over it.
[~vihangk1], it was mainly intended for consistency purposes, since there is already a property [hive.metastore.use.SSL|https://github.com/apache/hive/blob/master/standalone-metastore/metastore-common/src/main/java/org/apache/hadoop/hive/metastore/conf/MetastoreConf.java#L982-L983] on the HMS client to HMS Service side. My intent for it was to simply use it as a toggle for whether these new properties are set or not, similar to the logic [here|https://github.com/apache/hive/blob/master/standalone-metastore/metastore-server/src/main/java/org/apache/hadoop/hive/metastore/HiveMetaStore.java#L9265-L9284]. It won't modify the JDO connectionURL - the _ssl=true_ part will still need to be inputted manually on the JDO connection string.
> Split the config "hive.metastore.dbaccess.ssl.properties" into more meaningful configs
> --------------------------------------------------------------------------------------
>
> Key: HIVE-20992
> URL: https://issues.apache.org/jira/browse/HIVE-20992
> Project: Hive
> Issue Type: Improvement
> Components: Metastore, Security, Standalone Metastore
> Affects Versions: 4.0.0
> Reporter: Morio Ramdenbourg
> Assignee: Morio Ramdenbourg
> Priority: Minor
>
> HIVE-13044 brought in the ability to enable TLS encryption from the HMS Service to the HMSDB by configuring the following two properties:
> # _javax.jdo.option.ConnectionURL_: JDBC connect string for a JDBC metastore. To use SSL to encrypt/authenticate the connection, provide database-specific SSL flag in the connection URL. (E.g. "jdbc:postgresql://myhost/db?ssl=true")
> # _hive.metastore.dbaccess.ssl.properties_: Comma-separated SSL properties for metastore to access database when JDO connection URL. (E.g. javax.net.ssl.trustStore=/tmp/truststore,javax.net.ssl.trustStorePassword=pwd)
> However, the latter configuration option is opaque and poses some problems. The most glaring of which is it takes in _any_ [java.lang.System|https://docs.oracle.com/javase/7/docs/api/java/lang/System.html] system property, whether it is [TLS-related|https://docs.oracle.com/javase/8/docs/technotes/guides/security/jsse/JSSERefGuide.html#InstallationAndCustomization] or not. This can cause some unintended side-effects for other components of the HMS, especially if it overrides an already-set system property. If the user truly wishes to add an unrelated Java property, setting it statically using the "-D" option of the _java_ command is more appropriate. Secondly, the truststore password is stored in plain text. We should add Hadoop Shims back to the HMS to prevent exposing these passwords, but this effort can be done after this ticket.
> I propose we split _hive.metastore.dbaccess.ssl.properties_ into the following properties:
> * *_hive.metastore.dbaccess.ssl.use.SSL_*
> ** Set this to true to use TLS encryption from the HMS Service to the HMSDB
> * *_hive.metastore.dbaccess.ssl.truststore.path_*
> ** TLS truststore file location
> ** Java property: _javax.net.ssl.trustStore_
> ** E.g. _/tmp/truststore_
> * *_hive.metastore.dbaccess.ssl.truststore.password_*
> ** Password of the truststore file
> ** Java property: _javax.net.ssl.trustStorePassword_
> ** E.g. _pwd_
> * _*hive.metastore.dbaccess.ssl.truststore.type*_
> ** Type of the truststore file
> ** Java property: _javax.net.ssl.trustStoreType_
> ** E.g. _JKS_
> We should guide the user towards an easier TLS configuration experience. This is the minimum configuration necessary to configure TLS to the HMSDB. If we need other options, such as the keystore location/password for dual-authentication, then we can add those on afterwards.
> Also, document these changes - [javax.jdo.option.ConnectionURL|https://cwiki.apache.org/confluence/display/Hive/Configuration+Properties#ConfigurationProperties-javax.jdo.option.ConnectionURL] does not have up-to-date documentation, and these new parameters will need documentation as well.
> Note "TLS" refers to both SSL and TLS. TLS is simply the successor of SSL.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)