drill-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Ted Dunning <ted.dunn...@gmail.com>
Subject Re: Sqlline Tricks
Date Wed, 03 Feb 2016 23:24:08 GMT
If you specify a file name on the sqlline command line, that file will be
treated as a properties file which can specify user and password.

An attacker could see the file name on the [ps ax] output, but they
wouldn't be able to read the props file.  If that file is deleted shortly
after starting sqlline, even better.

So you can write the user and password to such a file:

touch props$$
chmod 600 props$$
cat >> props$$ <<!
user=$user
password=$mypassword
url=$url
!
(sleep 5 ; rm props$$) &
sqlline props$$


The deletion of the properties file is a bit racy, but it should work fine
unless sqlline decides to take forever to start.


On Wed, Feb 3, 2016 at 2:44 PM, Christopher Matta <cmatta@mapr.com> wrote:

> Good point about the ps, I can imagine a workaround using expect for now… I
> attempted to use heredoc but it didn’t really work:
>
>  sqlline <<< '!connect jdbc:drill:'
> could not load a native library: netty-transport-native-epoll
> apache drill 1.4.0
> "a drill is a terrible thing to waste"
> 0: jdbc:drill:> !connect jdbc:drill:
> Enter username for jdbc:drill:: Enter password for jdbc:drill::
> java.lang.NullPointerException
>         at java.util.Hashtable.put(Hashtable.java:514)
>         at sqlline.DatabaseConnection.connect(DatabaseConnection.java:165)
>         at
> sqlline.DatabaseConnection.getConnection(DatabaseConnection.java:213)
>         at sqlline.Commands.connect(Commands.java:1083)
>         at sqlline.Commands.connect(Commands.java:1015)
>         at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
>         at
> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
>         at
> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
>         at java.lang.reflect.Method.invoke(Method.java:606)
>         at
> sqlline.ReflectiveCommandHandler.execute(ReflectiveCommandHandler.java:36)
>         at sqlline.SqlLine.dispatch(SqlLine.java:742)
>         at sqlline.SqlLine.begin(SqlLine.java:621)
>         at sqlline.SqlLine.start(SqlLine.java:375)
>         at sqlline.SqlLine.main(SqlLine.java:268)
> 1: jdbc:drill:> java.lang.NullPointerException
>         at java.util.Hashtable.put(Hashtable.java:514)
>         at sqlline.DatabaseConnection.connect(DatabaseConnection.java:165)
>         at
> sqlline.DatabaseConnection.getConnection(DatabaseConnection.java:213)
>         at sqlline.Commands.close(Commands.java:925)
>         at sqlline.Commands.closeall(Commands.java:899)
>         at sqlline.SqlLine.begin(SqlLine.java:649)
>         at sqlline.SqlLine.start(SqlLine.java:375)
>         at sqlline.SqlLine.main(SqlLine.java:268)
>
> ​
>
> Chris Matta
> cmatta@mapr.com
> 215-701-3146
>
> On Wed, Feb 3, 2016 at 5:29 PM, John Omernik <john@omernik.com> wrote:
>
> > I updated the JIRA with the secondary Use Case and I don't think things
> > have been addressed yet.
> >
> > Chris:  The issue I see with that approach is it effectively puts your
> > credentials on display in the ps ax on the system.  (You typed your
> > password at a command line) It also puts your credentials in the
> > .bash_history.  We need a way that sqlline can get the credentials that
> > don't show them to all users, or the root user in the case of
> > .bash_history.  (See the Jira that Keys mentioned)
> >
> > https://issues.apache.org/jira/browse/DRILL-3880
> >
> > On Wed, Feb 3, 2016 at 4:24 PM, Keys Botzum <kbotzum@maprtech.com>
> wrote:
> >
> > > They are different although interestingly I think some of this has been
> > > fixed per what others here have posted. If it were me I'd
> clarify/enhance
> > > the JIRA based on what you've just learned but others may feel
> > differently.
> > >
> > > Keys
> > > _______________________________
> > > Keys Botzum
> > > Senior Principal Technologist
> > > kbotzum@maprtech.com <mailto:kbotzum@maprtech.com>
> > > 443-718-0098
> > > MapR Technologies
> > > http://www.mapr.com <http://www.mapr.com/>
> > > > On Feb 3, 2016, at 5:20 PM, John Omernik <john@omernik.com> wrote:
> > > >
> > > > LOL So I did.
> > > >
> > > > I saw them as two things. "Not putting the password at the command
> > line"
> > > > vs. Specifying the Connect string URL without user or pass and then
> > > getting
> > > > prompted... but in reality they really are the same thing aren't
> they?
> > > >
> > > >
> > > >
> > > > On Wed, Feb 3, 2016 at 4:18 PM, Keys Botzum <kbotzum@maprtech.com
> > > <mailto:kbotzum@maprtech.com>> wrote:
> > > >
> > > >> Did you already open a JIRA on this?
> > > >>
> > > >> https://issues.apache.org/jira/browse/DRILL-3880 <
> > > https://issues.apache.org/jira/browse/DRILL-3880>
> > > >>
> > > >>
> > > >> Keys
> > > >> _______________________________
> > > >> Keys Botzum
> > > >> Senior Principal Technologist
> > > >> kbotzum@maprtech.com <mailto:kbotzum@maprtech.com> <mailto:
> > > kbotzum@maprtech.com <mailto:kbotzum@maprtech.com>>
> > > >> 443-718-0098
> > > >> MapR Technologies
> > > >> http://www.mapr.com <http://www.mapr.com/> <http://www.mapr.com/
<
> > > http://www.mapr.com/>>
> > > >>> On Feb 3, 2016, at 5:14 PM, John Omernik <john@omernik.com>
wrote:
> > > >>>
> > > >>> Ya, Andries, that's effectively what I did with my script, I passed
> > the
> > > >> url
> > > >>> with -u, but without the username and password provided on the
> > command
> > > >>> line, I get an auth error.  If there truly is no way to ask for
> > > >>> username/password when providing auth string, I may open a JIRA
on
> > > that,
> > > >> I
> > > >>> think it would be a helpful feature. Right now my work around
is to
> > use
> > > >> the
> > > >>> bash script to echo out what they need to type to get into drill
:)
> > > >>>
> > > >>>
> > > >>>
> > > >>> On Wed, Feb 3, 2016 at 4:03 PM, Christopher Matta <cmatta@mapr.com
> >
> > > >> wrote:
> > > >>>
> > > >>>> The only way I know of getting sqlline to ask for a password
is to
> > run
> > > >> the
> > > >>>> !connect command after starting the shell:
> > > >>>>
> > > >>>> $ /opt/mapr/drill/drill-1.4.0/bin/sqlline
> > > >>>> apache drill 1.4.0
> > > >>>> "a drill in the hand is better than two in the bush"
> > > >>>> sqlline> !connect jdbc:drill:
> > > >>>> scan complete in 427ms
> > > >>>> Enter username for jdbc:drill:: cmatta
> > > >>>> Enter password for jdbc:drill:: **************
> > > >>>>
> > > >>>> I’m not sure how to send that string to the sqlline shell
once
> it’s
> > > >> opened
> > > >>>> though..
> > > >>>> ​
> > > >>>>
> > > >>>> Chris Matta
> > > >>>> cmatta@mapr.com
> > > >>>> 215-701-3146
> > > >>>>
> > > >>>> On Wed, Feb 3, 2016 at 4:53 PM, John Omernik <john@omernik.com>
> > > wrote:
> > > >>>>
> > > >>>>> Hey all, I am trying to "Ease" my users into using drill.
> > > >>>>>
> > > >>>>> One thing that I'd like to automate for them is the initial
> > > connection,
> > > >>>>> basically, my zk string
> > > >>>>>
> > > >>>>> jdbc:drill:zk:zknode1:5181,zknode2:5181,zknode3:5181
> > > >>>>>
> > > >>>>> Is a bit of pain, in addition, my users have to find sqlline,
so
> > what
> > > >> if
> > > >>>> I
> > > >>>>> change versions etc... my idea was to put an executable
script in
> > > >>>> /usr/sbin
> > > >>>>> named zetadrill (zeta is a nod To Mr. Scott!)
> > > >>>>>
> > > >>>>> Basically, that has the path and I hoped the connect string
so
> > users
> > > >>>> would
> > > >>>>> not have to find my sqlline, nor would they have to know/remember
> > > >>>> zookeeper
> > > >>>>> information. Ideal world: They'd type zetadrill and it
would say
> > > >> "Please
> > > >>>>> enter Username" "Please enter password" and they'd be
good to go.
> > > >>>>>
> > > >>>>> So I tried using -u flag.
> > > >>>>>
> > > >>>>> When I do that (without a username and password) it fails
out on
> > me,
> > > >>>>> basically telling me that auth failed (invalid user credentials).
> > > >>>>>
> > > >>>>> I obviously can't put a username and password in the script,
> > running
> > > >> the
> > > >>>>> connect with -u and -n (no password) results in the same
failure.
> > > >>>>>
> > > >>>>> I guess I am asking: Is there any way to provide a connection
> > string,
> > > >> and
> > > >>>>> then have sqlline prompt for credentials? This would make
the
> user
> > > exp
> > > >> so
> > > >>>>> much better.
> > > >>>>>
> > > >>>>> Thanks in advanced!
> > >
> > >
> >
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message