You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@hive.apache.org by "Venugopal Reddy K (Jira)" <ji...@apache.org> on 2023/05/03 13:37:00 UTC

[jira] [Assigned] (HIVE-27308) Exposing client keystore and truststore passwords in the JDBC URL can be a security concern

     [ https://issues.apache.org/jira/browse/HIVE-27308?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Venugopal Reddy K reassigned HIVE-27308:
----------------------------------------

    Assignee: Venugopal Reddy K

> Exposing client keystore and truststore passwords in the JDBC URL can be a security concern
> -------------------------------------------------------------------------------------------
>
>                 Key: HIVE-27308
>                 URL: https://issues.apache.org/jira/browse/HIVE-27308
>             Project: Hive
>          Issue Type: Improvement
>            Reporter: Venugopal Reddy K
>            Assignee: Venugopal Reddy K
>            Priority: Major
>              Labels: pull-request-available
>          Time Spent: 20m
>  Remaining Estimate: 0h
>
> At present, we may have the following keystore and truststore passwords in the JDBC URL.
>  # trustStorePassword
>  # keyStorePassword
>  # zooKeeperTruststorePassword
>  # zooKeeperKeystorePassword
> Exposing these passwords in URL can be a security concern. Can hide all these passwords from JDBC URL when we protect these passwords in a local JCEKS keystore file and pass the JCEKS file to URL instead.
> 1. Leverage the hadoop credential provider [Link|https://hadoop.apache.org/docs/stable/hadoop-project-dist/hadoop-common/CredentialProviderAPI.html#Overview] Create aliases for these passwords in a local JCE keystore like below. Store all the passwords in the same JCEKS files.
> {{hadoop credential create *keyStorePassword* -value FDUxmzTxW15xWoaCk6GxLlaoHjnjV9H7iHqCIDxTwoq -provider localjceks://file/tmp/store/client_creds.jceks}}
> 2. Add a new option *storePasswordPath* to JDBC URL that point to the local JCE keystore file storing the password aliases. When the existing password option is present in URL, can ignore to fetch that particular alias from local jceks(i.e., giving preference to existing password option). And if password option is not present in URL, can fetch the password from local jceks.
> JDBC URL may look like: 
> {{beeline -u "jdbc:hive2://kvr-host:10001/default;retries=5;ssl=true;sslTrustStore=/tmp/truststore.jks;transportMode=http;httpPath=cliservice;twoWay=true;sslKeyStore=/tmp/keystore.jks;{*}storePasswordPath=localjceks://file/tmp/client_creds.jceks;{*}"}}
> 3. Hive JDBC can fetch the passwords with [Configuration.getPassword|https://hadoop.apache.org/docs/stable/api/org/apache/hadoop/conf/Configuration.html#getPassword-java.lang.String-] API



--
This message was sent by Atlassian Jira
(v8.20.10#820010)