hive-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Sebastian Fröhlich (JIRA) <j...@apache.org>
Subject [jira] [Commented] (HIVE-16089) "trustStorePassword" is logged as part of jdbc connection url
Date Mon, 06 Mar 2017 17:20:33 GMT

    [ https://issues.apache.org/jira/browse/HIVE-16089?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15897680#comment-15897680
] 

Sebastian Fröhlich commented on HIVE-16089:
-------------------------------------------

[~zsombor.klara],
Thank you for the information. This is helpful.
It would be great if you could bring the fix also down to Hive 1.1.x as a security fix. Not
many commercial Hadoop vendors using Hive 1.2.1 in their commercial Hadoop distributions.
So the upgrade to Hive 1.2.1+ is not a real option for us.
But maybe this issue will be fixed separately in the impacted commercial distributed Hive
versions.

> "trustStorePassword" is logged as part of jdbc connection url
> -------------------------------------------------------------
>
>                 Key: HIVE-16089
>                 URL: https://issues.apache.org/jira/browse/HIVE-16089
>             Project: Hive
>          Issue Type: Bug
>          Components: JDBC
>    Affects Versions: 1.1.0
>            Reporter: Sebastian Fröhlich
>              Labels: security
>
> h5. General Story
> The use case is to connect via the Apache Hive JDBC driver to a Hive where SSL encryption
is enabled.
> It was required to set the ssl-trust store password property {{trustStorePassword}} in
the jdbc connection url.
> If the property is passed via "properties" parameter into {{Driver.connect(url, properties)}}
this will not recognized.
> h5. Log message
> {code}
> 2017-03-03 09:57:58,385 [INFO] [InputInitializer {Map for sheets:[import] (fce7cd11-d489-4a13-a3a9-4c81d2907c87)}
#0] 
> |jdbc.Utils|: Resolved authority: <hostname>:<port>
> 2017-03-03 09:57:58,539 [INFO] [InputInitializer {Map for sheets:[import] (fce7cd11-d489-4a13-a3a9-4c81d2907c87)}
#0] |jdbc.HiveConnection|: Will try to open client transport with JDBC Uri: jdbc:hive2://<hostname>:<port>/;ssl=true;sslTrustStore=/tmp/hs2keystore.jks;trustStorePassword=<password>
> {code}
> E.g. produced by code {{org.apache.hive.jdbc.HiveConnection#openTransport()}}
> h5. Suggested Behavior
> The property {{trustStorePassword}} could be part of the "properties" parameter. This
way the password is not part of the JDBC connection url.
> h5. Acceptance Criteria
> The ssl trust store password should not be logged as part of the JDBC connection string.
> Support the trust store password via the properties parameter within connect.



--
This message was sent by Atlassian JIRA
(v6.3.15#6346)

Mime
View raw message