[HIVE-20544] TOpenSessionReq logs password and username - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Bug
Status: Closed
Priority: Major
Resolution: Fixed
Affects Version/s: 4.0.0
Fix Version/s: 4.0.0-alpha-1
Component/s: Hive
Labels:
- beginner
- patch
- security

Target Version/s:

4.0.0
Flags:

Patch, Important

Description

In service-rpc/src/gen/thrift/gen-javabean/org/apache/hive/service/rpc/thrift/TOpenSessionReq, if client protocol is unset, validate() and toString() prints both username and password to logs.

Logging a password is a security risk. We should hide the *******.

=====Edit===== (no longer relevant, see comments)

This issue is tricky since it is caused in a fully generated class. I've been playing around and have found one working solution, butI'd truly appreciate ideas for a more elegant solution or input.

The problem:
TCLIService.thrift is the template for generating all classes in service-rpc. Struct TOpenSessionReq is OpenSession()'s one parameter and is defined thus:

struct TOpenSessionReq {
  1: required TProtocolVersion client_protocol = TProtocolVersion.HIVE_CLI_SERVICE_PROTOCOL_V10
  2: optional string username
  3: optional string password
  4: optional map<string, string> configuration
}

In the generated class TOpenSessionReq.java, client_protocol is checked by a validate() method, which is called quite a few times; if client_protocol is not set, it throws a TProtocolException, passing along a toString(). This toString() gets the names and values of all fields, including username and password.

Working solution:

Create a separate struct containing only the username and password, and pass it to OpenSession() as a second parameter. Since all fields in the new struct are "optional", the generated validate() is empty – toString() is never used. This involves changing core classes and breaks the "Each function should take exactly one parameter" coding convention (detailed at service-rpc/if/TCLIService.thrift:27).
See working-solution.patch.

What doesn't work:

Making client_protocol optional instead of required. Apparently this will break everything.
Overwriting toString() – TOpenSessionReq is a struct.
Creating two Thrift structs, one struct for required (TRequiredReq) and one for optional (TOptionalReq) fields, and nesting them in struct TOpenSessionReq. This doesn't work because validate() in TOpenSessionReq can call TOptionalReq.toString(), which prints the password to logs. This will happen if TRequiredReq.client_protocol isn't set.
See non-solution.patch
Asking Thrift devs to change their code. I wrote them an email but have no expectations.

Attachments

- Sort By Name
- Sort By Date
- Ascending
- Descending

working-solution.patch
18/Sep/18 08:55
160 kB
Karen Coppage
non-solution.patch
18/Sep/18 08:53
170 kB
Karen Coppage
HIVE-20544.patch
13/Sep/18 09:31
0.7 kB
Karen Coppage
HIVE-20544.4.patch
26/Sep/18 18:11
7 kB
Karen Coppage
HIVE-20544.4.patch
27/Sep/18 09:21
7 kB
Karen Coppage
HIVE-20544.4.patch
28/Sep/18 15:37
7 kB
Karen Coppage
HIVE-20544.4.patch
30/Sep/18 12:20
7 kB
Karen Coppage
HIVE-20544.4.patch
01/Oct/18 08:21
7 kB
Karen Coppage
HIVE-20544.4.patch
02/Oct/18 11:45
7 kB
Karen Coppage
HIVE-20544.3.patch
24/Sep/18 13:45
5 kB
Karen Coppage
HIVE-20544.3.patch
24/Sep/18 14:03
5 kB
Karen Coppage
HIVE-20544.2.patch
21/Sep/18 15:25
4 kB
Karen Coppage
HIVE-20544.1.patch
13/Sep/18 10:10
0.7 kB
Karen Coppage

Issue Links

links to

Review Board

Activity

People

Assignee:: Karen Coppage

Reporter:: Karen Coppage

Votes:: 0 Vote for this issue

Watchers:: 2 Start watching this issue

Dates

Created:: 12/Sep/18 16:05

Updated:: 17/Nov/22 08:54

Resolved:: 04/Oct/18 16:56