You are viewing a plain text version of this content. The canonical link for it is here.

Posted to gitbox@hive.apache.org by GitBox <gi...@apache.org> on 2020/07/30 16:28:06 UTC

[GitHub] [hive] risdenk opened a new pull request #1342: HIVE-23958: HiveServer2 should support additional keystore/truststore types besides JKS

risdenk opened a new pull request #1342:
URL: https://github.com/apache/hive/pull/1342


   Ensures that HS2 uses the default JDK keystore/truststore type when interacting with Thrift and Jetty. It isn't possible to add a test for this since FIPS compatible keystore/truststore needs special TLS provider and isn't shipped w/ the JDK. Using JKS or PKCS12 would work in either case since the JDK supports both in JDK 8 and 11. 
   


----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: gitbox-unsubscribe@hive.apache.org
For additional commands, e-mail: gitbox-help@hive.apache.org

[GitHub] [hive] risdenk commented on pull request #1342: HIVE-23958: HiveServer2 should support additional keystore/truststore types besides JKS

Posted by GitBox <gi...@apache.org>.

risdenk commented on pull request #1342:
URL: https://github.com/apache/hive/pull/1342#issuecomment-668775601


   Rebased to kick off new set of tests.


----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: gitbox-unsubscribe@hive.apache.org
For additional commands, e-mail: gitbox-help@hive.apache.org

[GitHub] [hive] risdenk commented on pull request #1342: HIVE-23958: HiveServer2 should support additional keystore/truststore types besides JKS

Posted by GitBox <gi...@apache.org>.

risdenk commented on pull request #1342:
URL: https://github.com/apache/hive/pull/1342#issuecomment-671942388


   Thanks for the review @nrg4878  is there anything more to do to merge? Thanks!


----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: gitbox-unsubscribe@hive.apache.org
For additional commands, e-mail: gitbox-help@hive.apache.org

[GitHub] [hive] nrg4878 commented on pull request #1342: HIVE-23958: HiveServer2 should support additional keystore/truststore types besides JKS

Posted by GitBox <gi...@apache.org>.

nrg4878 commented on pull request #1342:
URL: https://github.com/apache/hive/pull/1342#issuecomment-671400530


   > > The HttpServer has a Builder class that does not have support for setting the keystore type. Should we add a method to the builder to be able to build with a KS type and/or automatically set the default keystore when the KeystorePath/KeystorePassword is set?
   > 
   > This could be a separate change - I don't want to change it here since it didn't seem to have any benefit. The builder isn't used in this code path and instead it is hardcoded to `JKS` inside of Jetty and Thrift. This change passes the JDK preferred keystore type instead of relying on `JKS` being hardcoded by libraries.
   > 
   > I didn't feel it was necessary to expose this as another config option to add to hive-site.xml - since the JDK already has a way to configure this with the `keystore.type` config in the JDK. Since it hasn't come up previously, I'm assuming that no one has tried to change the keystore type in HS2 and so it doesn't need a Hive specific config today. This change doesn't stop someone from adding a config down the line if necessary.
   > 
   > > HiveServer2 class has some SSL settings for WebUI stuff. Should the keystore type also be set here?
   > 
   > The HiveServer2 class eventually falls back to HttpServer to build the Jetty server - so this change covers both the WebUI and other usages by Hive.
   
   Sounds good then. The change looks good to me otherwise.


----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: gitbox-unsubscribe@hive.apache.org
For additional commands, e-mail: gitbox-help@hive.apache.org

[GitHub] [hive] risdenk closed pull request #1342: HIVE-23958: HiveServer2 should support additional keystore/truststore types besides JKS

Posted by GitBox <gi...@apache.org>.

risdenk closed pull request #1342:
URL: https://github.com/apache/hive/pull/1342


   


----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: gitbox-unsubscribe@hive.apache.org
For additional commands, e-mail: gitbox-help@hive.apache.org

[GitHub] [hive] risdenk commented on pull request #1342: HIVE-23958: HiveServer2 should support additional keystore/truststore types besides JKS

Posted by GitBox <gi...@apache.org>.

risdenk commented on pull request #1342:
URL: https://github.com/apache/hive/pull/1342#issuecomment-673169549


   closed via https://github.com/apache/hive/commit/2b3c689baff857c18164a9610f2854583105734a


----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: gitbox-unsubscribe@hive.apache.org
For additional commands, e-mail: gitbox-help@hive.apache.org

[GitHub] [hive] risdenk commented on pull request #1342: HIVE-23958: HiveServer2 should support additional keystore/truststore types besides JKS

Posted by GitBox <gi...@apache.org>.

risdenk commented on pull request #1342:
URL: https://github.com/apache/hive/pull/1342#issuecomment-670584707


   > The HttpServer has a Builder class that does not have support for setting the keystore type. Should we add a method to the builder to be able to build with a KS type and/or automatically set the default keystore when the KeystorePath/KeystorePassword is set?
   
   This could be a separate change - I don't want to change it here since it didn't seem to have any benefit. The builder isn't used in this code path and instead it is hardcoded to `JKS` inside of Jetty and Thrift. This change passes the JDK preferred keystore type instead of relying on `JKS` being hardcoded by libraries.
   
   I didn't feel it was necessary to expose this as another config option to add to hive-site.xml - since the JDK already has a way to configure this with the `keystore.type` config in the JDK. Since it hasn't come up previously, I'm assuming that no one has tried to change the keystore type in HS2 and so it doesn't need a Hive specific config today. This change doesn't stop someone from adding a config down the line if necessary.
   
   > HiveServer2 class has some SSL settings for WebUI stuff. Should the keystore type also be set here?
   
   The HiveServer2 class eventually falls back to HttpServer to build the Jetty server - so this change covers both the WebUI and other usages by Hive. 


----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: gitbox-unsubscribe@hive.apache.org
For additional commands, e-mail: gitbox-help@hive.apache.org