You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@hive.apache.org by "Morio Ramdenbourg (JIRA)" <ji...@apache.org> on 2018/12/16 01:50:00 UTC
[jira] [Updated] (HIVE-21047) Read the HMS backend database
password and truststore password during PersistenceManagerFactory
initialization time
[ https://issues.apache.org/jira/browse/HIVE-21047?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Morio Ramdenbourg updated HIVE-21047:
-------------------------------------
Description:
This was pointed out by [~vihangk1] as part of the review for [HIVE-20992|https://issues.apache.org/jira/browse/HIVE-20992].
As part of the redaction of the _javax.jdo.option.ConnectionPassword_ and _metastore.dbaccess.ssl.truststore.password_ properties, they both use the [Hadoop Credential Provider API|https://hadoop.apache.org/docs/r3.1.1/hadoop-project-dist/hadoop-common/CredentialProviderAPI.html] to prevent the passwords from being stored in plain text.
However, these are both being read in [setConf()|https://github.com/apache/hive/blob/master/standalone-metastore/metastore-server/src/main/java/org/apache/hadoop/hive/metastore/ObjectStore.java#L198-L247] in ObjectStore, thereby calling the expensive decrypt during every new database connection initialization despite these values almost never changing.
We should instead move these reads into the PersistenceManagerFactory [initPMF()|https://github.com/apache/hive/blob/master/standalone-metastore/metastore-server/src/main/java/org/apache/hadoop/hive/metastore/PersistenceManagerProvider.java#L227-L273] method and cache their values so they are only read once when the HMS starts.
was:
This was pointed out by [~vihangk1] as part of the review for [HIVE-20992|https://issues.apache.org/jira/browse/HIVE-20992].
As part of the redaction of the _javax.jdo.option.ConnectionPassword_ and _metastore.dbaccess.ssl.truststore.password_ properties, they both use the [Hadoop Credential Provider API|https://hadoop.apache.org/docs/r3.1.1/hadoop-project-dist/hadoop-common/CredentialProviderAPI.html] to prevent the passwords from being stored in plain text.
However, these are both being read in during every new database connection initialization in [setConf()|https://github.com/apache/hive/blob/master/standalone-metastore/metastore-server/src/main/java/org/apache/hadoop/hive/metastore/ObjectStore.java#L198-L247] in ObjectStore, thereby calling the expensive decrypt every time despite these values almost never changing.
We should instead move these reads into the PersistenceManagerFactory [initPMF()|https://github.com/apache/hive/blob/master/standalone-metastore/metastore-server/src/main/java/org/apache/hadoop/hive/metastore/PersistenceManagerProvider.java#L227-L273] method and cache their values so they are only read once when the HMS starts.
> Read the HMS backend database password and truststore password during PersistenceManagerFactory initialization time
> -------------------------------------------------------------------------------------------------------------------
>
> Key: HIVE-21047
> URL: https://issues.apache.org/jira/browse/HIVE-21047
> Project: Hive
> Issue Type: Improvement
> Components: Standalone Metastore
> Affects Versions: 4.0.0
> Reporter: Morio Ramdenbourg
> Priority: Major
>
> This was pointed out by [~vihangk1] as part of the review for [HIVE-20992|https://issues.apache.org/jira/browse/HIVE-20992].
> As part of the redaction of the _javax.jdo.option.ConnectionPassword_ and _metastore.dbaccess.ssl.truststore.password_ properties, they both use the [Hadoop Credential Provider API|https://hadoop.apache.org/docs/r3.1.1/hadoop-project-dist/hadoop-common/CredentialProviderAPI.html] to prevent the passwords from being stored in plain text.
> However, these are both being read in [setConf()|https://github.com/apache/hive/blob/master/standalone-metastore/metastore-server/src/main/java/org/apache/hadoop/hive/metastore/ObjectStore.java#L198-L247] in ObjectStore, thereby calling the expensive decrypt during every new database connection initialization despite these values almost never changing.
> We should instead move these reads into the PersistenceManagerFactory [initPMF()|https://github.com/apache/hive/blob/master/standalone-metastore/metastore-server/src/main/java/org/apache/hadoop/hive/metastore/PersistenceManagerProvider.java#L227-L273] method and cache their values so they are only read once when the HMS starts.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)