You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@nifi.apache.org by Milan Das <md...@interset.com> on 2018/03/12 13:49:51 UTC
HiveConnectionPool URL with trustStorePasswrd
Hello folks,
I am connecting to Hive environment with TLS security on. In order to do that need to send trustStorePasswrd in Hive2 URL . As the configuration is in controller services, not able to find a way to set the trustStorePassword in encrypted format.
Wondering if there is a way to set trustStorePassword in encrypted format ?
Database ConnectionUrl: jdbc:hive2://ip-xxx-xx-x-xxx.ec2.internal:10000/default;principal=hive/_HOST@CO.ACME.COM;ssl=true;sslTrustStore=/etc/hadoop/ssl/truststore.jks;trustStorePassword=password
Regard,
Milan Das
Sr. System Architect
email: mdas@interset.com
mobile: +1 678 216 5660
www.interset.com
Re: HiveConnectionPool URL with trustStorePasswrd
Posted by Matt Burgess <ma...@apache.org>.
Milan,
You could subclass the existing HiveConnectionPool, add a property for
key/truststore password that is sensitive, then build the URL manually
during a call to getConnection(). Then the rest of the URL would not
have to remain sensitive, if that is preferable. You might even
consider an SSLContext property rather than just passwords, then you
can get all that info from the SSLContext controller service and build
the URL from there.
Regards,
Matt
On Wed, Mar 14, 2018 at 3:11 PM, Milan Das <md...@interset.com> wrote:
> We are going to use a Custom controller and mark the URL as sensitive property. Client don’t want to make any password visible.
>
>
>
> Regards,
>
> Milan
>
>
>
> From: Andy LoPresto <al...@apache.org>
> Reply-To: <de...@nifi.apache.org>
> Date: Monday, March 12, 2018 at 4:00 PM
> To: <de...@nifi.apache.org>
> Subject: Re: HiveConnectionPool URL with trustStorePasswrd
>
>
>
> Milan,
>
>
>
> I am also not aware of any way to use an encrypted value in the JDBC connection string. In my understanding, the truststore password is only used to verify the integrity of the truststore which is used locally (i.e. not transmitted) to accept the remote endpoint’s TLS certificate.
>
>
>
> You could probably write a custom controller service replacing HiveConnectionPool [1] which implemented HiveDBCPService and marked the connection string as a sensitive property, so it would be encrypted on disk by NiFi and not revealed over the API, but it might be difficult to use in this way because the entire connection string would be hidden in the UI. You could also theoretically have separate property descriptors for the connection string and truststore password and construct the connection string yourself internally, but this is probably overkill.
>
>
>
> [1] https://nifi.apache.org/docs/nifi-docs/components/org.apache.nifi/nifi-hive-nar/1.5.0/org.apache.nifi.dbcp.hive.HiveConnectionPool/index.html
>
>
>
>
>
> Andy LoPresto
>
> alopresto@apache.org
>
> alopresto.apache@gmail.com
>
> PGP Fingerprint: 70EC B3E5 98A6 5A3F D3C4 BACE 3C6E F65B 2F7D EF69
>
>
>
> On Mar 12, 2018, at 12:27 PM, Pierre Villard <pi...@gmail.com> wrote:
>
>
>
> Hi Milan,
>
> As far as I know, there is not. It's the same when you connect with the
> beeline client from a node.
> Note that you can set the chmod/chown of the truststore file to be only
> readable by the user running nifi. It should help preventing unauthorized
> access.
>
> Pierre
>
> 2018-03-12 14:49 GMT+01:00 Milan Das <md...@interset.com>:
>
>
>
> Hello folks,
>
> I am connecting to Hive environment with TLS security on. In order to do
> that need to send trustStorePasswrd in Hive2 URL . As the configuration is
> in controller services, not able to find a way to set the
> trustStorePassword in encrypted format.
>
> Wondering if there is a way to set trustStorePassword in encrypted format ?
>
>
>
> Database ConnectionUrl: jdbc:hive2://ip-xxx-xx-x-xxx.
> ec2.internal:10000/default;principal=hive/_HOST@CO.ACME.COM
> ;ssl=true;sslTrustStore=/etc/hadoop/ssl/truststore.jks;
> trustStorePassword=password
>
>
>
> Regard,
>
>
>
> [image: graph]
>
> *Milan Das*
> Sr. System Architect
>
> email: mdas@interset.com
> mobile: +1 678 216 5660 <(678)%20216-5660>
>
> [image: dIn icon] <https://www.linkedin.com/in/milandas/>
>
> www.interset.com
>
>
>
Re: HiveConnectionPool URL with trustStorePasswrd
Posted by Milan Das <md...@interset.com>.
We are going to use a Custom controller and mark the URL as sensitive property. Client don’t want to make any password visible.
Regards,
Milan
From: Andy LoPresto <al...@apache.org>
Reply-To: <de...@nifi.apache.org>
Date: Monday, March 12, 2018 at 4:00 PM
To: <de...@nifi.apache.org>
Subject: Re: HiveConnectionPool URL with trustStorePasswrd
Milan,
I am also not aware of any way to use an encrypted value in the JDBC connection string. In my understanding, the truststore password is only used to verify the integrity of the truststore which is used locally (i.e. not transmitted) to accept the remote endpoint’s TLS certificate.
You could probably write a custom controller service replacing HiveConnectionPool [1] which implemented HiveDBCPService and marked the connection string as a sensitive property, so it would be encrypted on disk by NiFi and not revealed over the API, but it might be difficult to use in this way because the entire connection string would be hidden in the UI. You could also theoretically have separate property descriptors for the connection string and truststore password and construct the connection string yourself internally, but this is probably overkill.
[1] https://nifi.apache.org/docs/nifi-docs/components/org.apache.nifi/nifi-hive-nar/1.5.0/org.apache.nifi.dbcp.hive.HiveConnectionPool/index.html
Andy LoPresto
alopresto@apache.org
alopresto.apache@gmail.com
PGP Fingerprint: 70EC B3E5 98A6 5A3F D3C4 BACE 3C6E F65B 2F7D EF69
On Mar 12, 2018, at 12:27 PM, Pierre Villard <pi...@gmail.com> wrote:
Hi Milan,
As far as I know, there is not. It's the same when you connect with the
beeline client from a node.
Note that you can set the chmod/chown of the truststore file to be only
readable by the user running nifi. It should help preventing unauthorized
access.
Pierre
2018-03-12 14:49 GMT+01:00 Milan Das <md...@interset.com>:
Hello folks,
I am connecting to Hive environment with TLS security on. In order to do
that need to send trustStorePasswrd in Hive2 URL . As the configuration is
in controller services, not able to find a way to set the
trustStorePassword in encrypted format.
Wondering if there is a way to set trustStorePassword in encrypted format ?
Database ConnectionUrl: jdbc:hive2://ip-xxx-xx-x-xxx.
ec2.internal:10000/default;principal=hive/_HOST@CO.ACME.COM
;ssl=true;sslTrustStore=/etc/hadoop/ssl/truststore.jks;
trustStorePassword=password
Regard,
[image: graph]
*Milan Das*
Sr. System Architect
email: mdas@interset.com
mobile: +1 678 216 5660 <(678)%20216-5660>
[image: dIn icon] <https://www.linkedin.com/in/milandas/>
www.interset.com
Re: HiveConnectionPool URL with trustStorePasswrd
Posted by Andy LoPresto <al...@apache.org>.
Milan,
I am also not aware of any way to use an encrypted value in the JDBC connection string. In my understanding, the truststore password is only used to verify the integrity of the truststore which is used locally (i.e. not transmitted) to accept the remote endpoint’s TLS certificate.
You could probably write a custom controller service replacing HiveConnectionPool [1] which implemented HiveDBCPService and marked the connection string as a sensitive property, so it would be encrypted on disk by NiFi and not revealed over the API, but it might be difficult to use in this way because the entire connection string would be hidden in the UI. You could also theoretically have separate property descriptors for the connection string and truststore password and construct the connection string yourself internally, but this is probably overkill.
[1] https://nifi.apache.org/docs/nifi-docs/components/org.apache.nifi/nifi-hive-nar/1.5.0/org.apache.nifi.dbcp.hive.HiveConnectionPool/index.html
Andy LoPresto
alopresto@apache.org
alopresto.apache@gmail.com
PGP Fingerprint: 70EC B3E5 98A6 5A3F D3C4 BACE 3C6E F65B 2F7D EF69
> On Mar 12, 2018, at 12:27 PM, Pierre Villard <pi...@gmail.com> wrote:
>
> Hi Milan,
>
> As far as I know, there is not. It's the same when you connect with the
> beeline client from a node.
> Note that you can set the chmod/chown of the truststore file to be only
> readable by the user running nifi. It should help preventing unauthorized
> access.
>
> Pierre
>
> 2018-03-12 14:49 GMT+01:00 Milan Das <mdas@interset.com <ma...@interset.com>>:
>
>> Hello folks,
>>
>> I am connecting to Hive environment with TLS security on. In order to do
>> that need to send trustStorePasswrd in Hive2 URL . As the configuration is
>> in controller services, not able to find a way to set the
>> trustStorePassword in encrypted format.
>>
>> Wondering if there is a way to set trustStorePassword in encrypted format ?
>>
>>
>>
>> Database ConnectionUrl: jdbc:hive2://ip-xxx-xx-x-xxx.
>> ec2.internal:10000/default;principal=hive/_HOST@CO.ACME.COM
>> ;ssl=true;sslTrustStore=/etc/hadoop/ssl/truststore.jks;
>> trustStorePassword=password
>>
>>
>>
>> Regard,
>>
>>
>>
>> [image: graph]
>>
>> *Milan Das*
>> Sr. System Architect
>>
>> email: mdas@interset.com <ma...@interset.com>
>> mobile: +1 678 216 5660 <(678)%20216-5660>
>>
>> [image: dIn icon] <https://www.linkedin.com/in/milandas/ <https://www.linkedin.com/in/milandas/>>
>>
>> www.interset.com <http://www.interset.com/>
Re: HiveConnectionPool URL with trustStorePasswrd
Posted by Pierre Villard <pi...@gmail.com>.
Hi Milan,
As far as I know, there is not. It's the same when you connect with the
beeline client from a node.
Note that you can set the chmod/chown of the truststore file to be only
readable by the user running nifi. It should help preventing unauthorized
access.
Pierre
2018-03-12 14:49 GMT+01:00 Milan Das <md...@interset.com>:
> Hello folks,
>
> I am connecting to Hive environment with TLS security on. In order to do
> that need to send trustStorePasswrd in Hive2 URL . As the configuration is
> in controller services, not able to find a way to set the
> trustStorePassword in encrypted format.
>
> Wondering if there is a way to set trustStorePassword in encrypted format ?
>
>
>
> Database ConnectionUrl: jdbc:hive2://ip-xxx-xx-x-xxx.
> ec2.internal:10000/default;principal=hive/_HOST@CO.ACME.COM
> ;ssl=true;sslTrustStore=/etc/hadoop/ssl/truststore.jks;
> trustStorePassword=password
>
>
>
> Regard,
>
>
>
> [image: graph]
>
> *Milan Das*
> Sr. System Architect
>
> email: mdas@interset.com
> mobile: +1 678 216 5660 <(678)%20216-5660>
>
> [image: dIn icon] <https://www.linkedin.com/in/milandas/>
>
> www.interset.com
>
>
>
>
>