You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@hive.apache.org by "Hive QA (JIRA)" <ji...@apache.org> on 2019/01/25 01:35:00 UTC

[jira] [Commented] (HIVE-21083) Remove the requirement to specify the truststore location when TLS to the database is turned on

    [ https://issues.apache.org/jira/browse/HIVE-21083?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16751782#comment-16751782 ] 

Hive QA commented on HIVE-21083:
--------------------------------

| (/) *{color:green}+1 overall{color}* |
\\
\\
|| Vote || Subsystem || Runtime || Comment ||
|| || || || {color:brown} Prechecks {color} ||
| {color:green}+1{color} | {color:green} @author {color} | {color:green}  0m  0s{color} | {color:green} The patch does not contain any @author tags. {color} |
|| || || || {color:brown} master Compile Tests {color} ||
| {color:blue}0{color} | {color:blue} mvndep {color} | {color:blue}  0m 37s{color} | {color:blue} Maven dependency ordering for branch {color} |
| {color:green}+1{color} | {color:green} mvninstall {color} | {color:green}  7m  4s{color} | {color:green} master passed {color} |
| {color:green}+1{color} | {color:green} compile {color} | {color:green}  0m 50s{color} | {color:green} master passed {color} |
| {color:green}+1{color} | {color:green} checkstyle {color} | {color:green}  0m 12s{color} | {color:green} master passed {color} |
| {color:blue}0{color} | {color:blue} findbugs {color} | {color:blue}  2m 12s{color} | {color:blue} standalone-metastore/metastore-common in master has 29 extant Findbugs warnings. {color} |
| {color:blue}0{color} | {color:blue} findbugs {color} | {color:blue}  1m  5s{color} | {color:blue} standalone-metastore/metastore-server in master has 184 extant Findbugs warnings. {color} |
| {color:green}+1{color} | {color:green} javadoc {color} | {color:green}  1m 10s{color} | {color:green} master passed {color} |
|| || || || {color:brown} Patch Compile Tests {color} ||
| {color:blue}0{color} | {color:blue} mvndep {color} | {color:blue}  0m  7s{color} | {color:blue} Maven dependency ordering for patch {color} |
| {color:green}+1{color} | {color:green} mvninstall {color} | {color:green}  0m 57s{color} | {color:green} the patch passed {color} |
| {color:green}+1{color} | {color:green} compile {color} | {color:green}  0m 52s{color} | {color:green} the patch passed {color} |
| {color:green}+1{color} | {color:green} javac {color} | {color:green}  0m 52s{color} | {color:green} the patch passed {color} |
| {color:green}+1{color} | {color:green} checkstyle {color} | {color:green}  0m 12s{color} | {color:green} the patch passed {color} |
| {color:green}+1{color} | {color:green} whitespace {color} | {color:green}  0m  0s{color} | {color:green} The patch has no whitespace issues. {color} |
| {color:green}+1{color} | {color:green} findbugs {color} | {color:green}  3m 29s{color} | {color:green} the patch passed {color} |
| {color:green}+1{color} | {color:green} javadoc {color} | {color:green}  1m  4s{color} | {color:green} the patch passed {color} |
|| || || || {color:brown} Other Tests {color} ||
| {color:green}+1{color} | {color:green} asflicense {color} | {color:green}  0m 12s{color} | {color:green} The patch does not generate ASF License warnings. {color} |
| {color:black}{color} | {color:black} {color} | {color:black} 20m 40s{color} | {color:black} {color} |
\\
\\
|| Subsystem || Report/Notes ||
| Optional Tests |  asflicense  javac  javadoc  findbugs  checkstyle  compile  |
| uname | Linux hiveptest-server-upstream 3.16.0-4-amd64 #1 SMP Debian 3.16.36-1+deb8u1 (2016-09-03) x86_64 GNU/Linux |
| Build tool | maven |
| Personality | /data/hiveptest/working/yetus_PreCommit-HIVE-Build-15787/dev-support/hive-personality.sh |
| git revision | master / 1327d47 |
| Default Java | 1.8.0_111 |
| findbugs | v3.0.0 |
| modules | C: standalone-metastore/metastore-common standalone-metastore/metastore-server U: standalone-metastore |
| Console output | http://104.198.109.242/logs//PreCommit-HIVE-Build-15787/yetus.txt |
| Powered by | Apache Yetus    http://yetus.apache.org |


This message was automatically generated.



> Remove the requirement to specify the truststore location when TLS to the database is turned on
> -----------------------------------------------------------------------------------------------
>
>                 Key: HIVE-21083
>                 URL: https://issues.apache.org/jira/browse/HIVE-21083
>             Project: Hive
>          Issue Type: Improvement
>          Components: Metastore, Standalone Metastore
>    Affects Versions: 4.0.0
>            Reporter: Morio Ramdenbourg
>            Assignee: Morio Ramdenbourg
>            Priority: Major
>         Attachments: HIVE-21083.patch
>
>
> In the current implementation, [ObjectStore.configureSSL|https://github.com/apache/hive/blob/master/standalone-metastore/metastore-server/src/main/java/org/apache/hadoop/hive/metastore/ObjectStore.java#L349-L382] throws an exception if TLS to the database is turned on (_metastore.dbaccess.ssl.use.SSL_) but a truststore file location (_metastore.dbaccess.ssl.truststore.path_) is not specified.
> However, according to the [JSSE (Java 8) documentation|https://docs.oracle.com/javase/8/docs/technotes/guides/security/jsse/JSSERefGuide.html#InstallationAndCustomization], the Java truststore file location system property (_javax.net.ssl.trustStore_) defaults to using the "_jssecacerts_, if it exists. Otherwise, _cacerts_" files. These are the default truststores that come with the Java installation and contain a list of well-known certificate authorities.
> It was identified that one valid way of configuring TLS is by adding to these default files. In that case, no changes to the truststore properties are necessary. We should support this case by changing the following logic to remove the requirement for the truststore file location config property:
> {code:java}
> String trustStorePath = MetastoreConf.getVar(conf, 
>         ConfVars.DBACCESS_SSL_TRUSTSTORE_PATH).trim();
> if (trustStorePath.isEmpty()) {
>         throw new IllegalArgumentException("SSL to the database store has been enabled but " + 
>         ConfVars.DBACCESS_SSL_TRUSTSTORE_PATH.toString() + " is empty. "
>         + "Set this property to enable SSL.");
> }
> {code}
> We should also loosen the requirement on the truststore password if the user decides to use the Java defaults



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)