Uploaded image for project: 'Hive'
  1. Hive
  2. HIVE-21083

Remove the requirement to specify the truststore location when TLS to the database is turned on

    XMLWordPrintableJSON

    Details

    • Type: Improvement
    • Status: Resolved
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 4.0.0
    • Fix Version/s: 4.0.0
    • Labels:
      None
    • Target Version/s:

      Description

      In the current implementation, ObjectStore.configureSSL throws an exception if TLS to the database is turned on (metastore.dbaccess.ssl.use.SSL) but a truststore file location (metastore.dbaccess.ssl.truststore.path) is not specified.

      However, according to the JSSE (Java 8) documentation, the Java truststore file location system property (javax.net.ssl.trustStore) defaults to using the "jssecacerts, if it exists. Otherwise, cacerts" files. These are the default truststores that come with the Java installation and contain a list of well-known certificate authorities.

      It was identified that one valid way of configuring TLS is by adding to these default files. In that case, no changes to the truststore properties are necessary. We should support this case by changing the following logic to remove the requirement for the truststore file location config property:

      String trustStorePath = MetastoreConf.getVar(conf, 
              ConfVars.DBACCESS_SSL_TRUSTSTORE_PATH).trim();
      if (trustStorePath.isEmpty()) {
              throw new IllegalArgumentException("SSL to the database store has been enabled but " + 
              ConfVars.DBACCESS_SSL_TRUSTSTORE_PATH.toString() + " is empty. "
              + "Set this property to enable SSL.");
      }
      

      We should also loosen the requirement on the truststore password if the user decides to use the Java defaults

        Attachments

        1. HIVE-21083.patch
          7 kB
          Morio Ramdenbourg
        2. HIVE-21083.4.patch
          15 kB
          Morio Ramdenbourg
        3. HIVE-21083.2.patch
          8 kB
          Morio Ramdenbourg

          Issue Links

            Activity

              People

              • Assignee:
                mramdenbourg Morio Ramdenbourg
                Reporter:
                mramdenbourg Morio Ramdenbourg
              • Votes:
                0 Vote for this issue
                Watchers:
                2 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: