You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@hive.apache.org by "Morio Ramdenbourg (JIRA)" <ji...@apache.org> on 2019/01/03 23:14:00 UTC
[jira] [Updated] (HIVE-21083) Remove the requirement to specify the
truststore file location when TLS to the database is turned on
[ https://issues.apache.org/jira/browse/HIVE-21083?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Morio Ramdenbourg updated HIVE-21083:
-------------------------------------
Description:
[ObjectStore.configureSSL|https://github.com/apache/hive/blob/master/standalone-metastore/metastore-server/src/main/java/org/apache/hadoop/hive/metastore/ObjectStore.java#L349-L382] throws an exception if TLS to the database is turned on (_metastore.dbaccess.ssl.use.SSL_) but a truststore file location (_metastore.dbaccess.ssl.truststore.path_) is not specified.
However, according to the [JSSE (Java 8) documentation|https://docs.oracle.com/javase/8/docs/technotes/guides/security/jsse/JSSERefGuide.html#InstallationAndCustomization], the Java truststore file location system property (_javax.net.ssl.trustStore_) defaults to using the "_jssecacerts_, if it exists. Otherwise, _cacerts_" files. These are the default truststores that come with the Java installation and contain a list of well-known certificate authorities.
One valid way of supplying certificates to trust is by appending to these default files. In that case, no config changes (other than turning SSL on) are necessary. We should support this case by changing the following logic to remove the requirement for the truststore file location config property:
{code:java}
String trustStorePath = MetastoreConf.getVar(conf,
ConfVars.DBACCESS_SSL_TRUSTSTORE_PATH).trim();
if (trustStorePath.isEmpty()) {
throw new IllegalArgumentException("SSL to the database store has been enabled but " +
ConfVars.DBACCESS_SSL_TRUSTSTORE_PATH.toString() + " is empty. "
+ "Set this property to enable SSL.");
}
{code}
Additionally, we should also not set the truststore file location and password values if they are empty. Instead, we should just ignore them.
was:
[ObjectStore.configureSSL|https://github.com/apache/hive/blob/master/standalone-metastore/metastore-server/src/main/java/org/apache/hadoop/hive/metastore/ObjectStore.java#L349-L382] throws an exception if TLS to the database is turned on (_metastore.dbaccess.ssl.use.SSL_) but a truststore file location (_metastore.dbaccess.ssl.truststore.path_) is not specified.
However, according to the [JSSE (Java 8) documentation|https://docs.oracle.com/javase/8/docs/technotes/guides/security/jsse/JSSERefGuide.html#InstallationAndCustomization], the Java truststore file location system property (_javax.net.ssl.trustStore_) defaults to using the "_jssecacerts_, if it exists. Otherwise, _cacerts_" files. These are the default truststores that come with the Java installation and contain a list of well-known certificate authorities.
One valid way of supplying certificates to trust is by appending to these default files. In that case, no config changes (other than turning SSL on) are necessary. We should support this case by changing the following logic to remove the requirement for the truststore file location config property:
{code:java}
String trustStorePath = MetastoreConf.getVar(conf,
ConfVars.DBACCESS_SSL_TRUSTSTORE_PATH).trim();
if (trustStorePath.isEmpty()) {
throw new IllegalArgumentException("SSL to the database store has been enabled but " +
ConfVars.DBACCESS_SSL_TRUSTSTORE_PATH.toString() + " is empty. "
+ "Set this property to enable SSL.");
}
Additionally, we should also not set the truststore file location and password values if they are empty. Instead, we should just ignore them.
{code}
> Remove the requirement to specify the truststore file location when TLS to the database is turned on
> ----------------------------------------------------------------------------------------------------
>
> Key: HIVE-21083
> URL: https://issues.apache.org/jira/browse/HIVE-21083
> Project: Hive
> Issue Type: Improvement
> Components: Metastore, Standalone Metastore
> Affects Versions: 4.0.0
> Reporter: Morio Ramdenbourg
> Assignee: Morio Ramdenbourg
> Priority: Major
>
> [ObjectStore.configureSSL|https://github.com/apache/hive/blob/master/standalone-metastore/metastore-server/src/main/java/org/apache/hadoop/hive/metastore/ObjectStore.java#L349-L382] throws an exception if TLS to the database is turned on (_metastore.dbaccess.ssl.use.SSL_) but a truststore file location (_metastore.dbaccess.ssl.truststore.path_) is not specified.
> However, according to the [JSSE (Java 8) documentation|https://docs.oracle.com/javase/8/docs/technotes/guides/security/jsse/JSSERefGuide.html#InstallationAndCustomization], the Java truststore file location system property (_javax.net.ssl.trustStore_) defaults to using the "_jssecacerts_, if it exists. Otherwise, _cacerts_" files. These are the default truststores that come with the Java installation and contain a list of well-known certificate authorities.
> One valid way of supplying certificates to trust is by appending to these default files. In that case, no config changes (other than turning SSL on) are necessary. We should support this case by changing the following logic to remove the requirement for the truststore file location config property:
> {code:java}
> String trustStorePath = MetastoreConf.getVar(conf,
> ConfVars.DBACCESS_SSL_TRUSTSTORE_PATH).trim();
> if (trustStorePath.isEmpty()) {
> throw new IllegalArgumentException("SSL to the database store has been enabled but " +
> ConfVars.DBACCESS_SSL_TRUSTSTORE_PATH.toString() + " is empty. "
> + "Set this property to enable SSL.");
> }
> {code}
> Additionally, we should also not set the truststore file location and password values if they are empty. Instead, we should just ignore them.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)