Details
-
Improvement
-
Status: Closed
-
Major
-
Resolution: Fixed
-
None
-
None
Description
At present, we may have the following keystore and truststore passwords in the JDBC URL.
- trustStorePassword
- keyStorePassword
- zooKeeperTruststorePassword
- zooKeeperKeystorePassword
Exposing these passwords in URL can be a security concern. Can hide all these passwords from JDBC URL when we protect these passwords in a local JCEKS keystore file and pass the JCEKS file to URL instead.
1. Leverage the hadoop credential provider Link Create aliases for these passwords in a local JCE keystore like below. Store all the passwords in the same JCEKS files.
hadoop credential create keyStorePassword -value FDUxmzTxW15xWoaCk6GxLlaoHjnjV9H7iHqCIDxTwoq -provider localjceks://file/tmp/store/client_creds.jceks
2. Add a new option storePasswordPath to JDBC URL that point to the local JCE keystore file storing the password aliases. When the existing password option is present in URL, can ignore to fetch that particular alias from local jceks(i.e., giving preference to existing password option). And if password option is not present in URL, can fetch the password from local jceks.
JDBC URL may look like:
beeline -u "jdbc:hive2://kvr-host:10001/default;retries=5;ssl=true;sslTrustStore=/tmp/truststore.jks;transportMode=http;httpPath=cliservice;twoWay=true;sslKeyStore=/tmp/keystore.jks;storePasswordPath=localjceks://file/tmp/client_creds.jceks;"
3. Hive JDBC can fetch the passwords with Configuration.getPassword API
Attachments
Issue Links
- relates to
-
HIVE-27271 Client connection to HS2 fails when transportMode=http, ssl=true, sslTrustStore specified without trustStorePassword in the JDBC URL
- Closed
- links to