diff --git standalone-metastore/metastore-common/src/main/java/org/apache/hadoop/hive/metastore/conf/MetastoreConf.java standalone-metastore/metastore-common/src/main/java/org/apache/hadoop/hive/metastore/conf/MetastoreConf.java index 75f0c0a356..6b52172ee8 100644 --- standalone-metastore/metastore-common/src/main/java/org/apache/hadoop/hive/metastore/conf/MetastoreConf.java +++ standalone-metastore/metastore-common/src/main/java/org/apache/hadoop/hive/metastore/conf/MetastoreConf.java @@ -461,18 +461,21 @@ public static ConfVars getMetaConf(String name) { // If DBACCESS_USE_SSL is false, then all other DBACCESS_SSL_* properties will be ignored DBACCESS_SSL_TRUSTSTORE_PASSWORD("metastore.dbaccess.ssl.truststore.password", "hive.metastore.dbaccess.ssl.truststore.password", "", "Password for the Java truststore file that is used when encrypting the connection to the database store. \n" + + "metastore.dbaccess.ssl.use.SSL must be set to true for this property to take effect. \n" + "This directly maps to the javax.net.ssl.trustStorePassword Java system property. \n" - + "While Java does allow an empty truststore password, we highly recommend against this. \n" - + "An empty password can compromise the integrity of the truststore file."), + + "It is inadvisable to specify the password in a way that exposes it to discovery by other users."), DBACCESS_SSL_TRUSTSTORE_PATH("metastore.dbaccess.ssl.truststore.path", "hive.metastore.dbaccess.ssl.truststore.path", "", "Location on disk of the Java truststore file to use when encrypting the connection to the database store. \n" + + "This file consists of a collection of certificates trusted by the metastore server. \n" + + "metastore.dbaccess.ssl.use.SSL must be set to true for this property to take effect. \n" + "This directly maps to the javax.net.ssl.trustStore Java system property. \n" - + "This file consists of a collection of certificates trusted by the metastore server.\n"), + + "If one is not specified, then the default Java truststore file (jssecacerts, if it exists. Otherwise, cacerts) will be used instead."), DBACCESS_SSL_TRUSTSTORE_TYPE("metastore.dbaccess.ssl.truststore.type", "hive.metastore.dbaccess.ssl.truststore.type", "jks", new StringSetValidator("jceks", "jks", "dks", "pkcs11", "pkcs12"), "File type for the Java truststore file that is used when encrypting the connection to the database store. \n" + + "metastore.dbaccess.ssl.use.SSL must be set to true for this property to take effect. \n" + "This directly maps to the javax.net.ssl.trustStoreType Java system property. \n" - + "Types jceks, jks, dks, pkcs11, and pkcs12 can be read from Java 8 and beyond. We default to jks. \n"), + + "Types jceks, jks, dks, pkcs11, and pkcs12 can be read from Java 8 and beyond. Defaults to jks."), DBACCESS_USE_SSL("metastore.dbaccess.ssl.use.SSL", "hive.metastore.dbaccess.ssl.use.SSL", false, "Set this to true to use SSL encryption to the database store."), diff --git standalone-metastore/metastore-server/src/main/java/org/apache/hadoop/hive/metastore/ObjectStore.java standalone-metastore/metastore-server/src/main/java/org/apache/hadoop/hive/metastore/ObjectStore.java index 9f721243c9..233e05f8db 100644 --- standalone-metastore/metastore-server/src/main/java/org/apache/hadoop/hive/metastore/ObjectStore.java +++ standalone-metastore/metastore-server/src/main/java/org/apache/hadoop/hive/metastore/ObjectStore.java @@ -355,25 +355,19 @@ private static void configureSSL(Configuration conf) { try { LOG.info("Setting SSL properties to connect to the database store"); String trustStorePath = MetastoreConf.getVar(conf, ConfVars.DBACCESS_SSL_TRUSTSTORE_PATH).trim(); - if (trustStorePath.isEmpty()) { - throw new IllegalArgumentException("SSL to the database store has been enabled but " + ConfVars.DBACCESS_SSL_TRUSTSTORE_PATH.toString() + " is empty. " - + "Set this property to enable SSL."); + // Specifying a truststore location is not necessary. If one is not provided, then the default Java truststore will be used instead. + if (!trustStorePath.isEmpty()) { + System.setProperty(TRUSTSTORE_PATH_KEY, trustStorePath); } // If the truststore password has been configured and redacted properly using the Hadoop CredentialProvider API, then // MetastoreConf.getPassword() will securely decrypt it. Otherwise, it will default to being read in from the // configuration file in plain text. String trustStorePassword = MetastoreConf.getPassword(conf, ConfVars.DBACCESS_SSL_TRUSTSTORE_PASSWORD); - if (trustStorePassword.isEmpty()) { - LOG.warn("SSL has been enabled but " + ConfVars.DBACCESS_SSL_TRUSTSTORE_PASSWORD.toString() + " is empty. " - + "It is highly recommended to set this property. An empty truststore password could compromise the integrity of the truststore file. " - + "Arbitrary certificates could be placed into the truststore, thereby potentially exposing an attack vector to this application." - + "Continuing with SSL enabled."); + if (!trustStorePassword.isEmpty()) { + System.setProperty(TRUSTSTORE_PASSWORD_KEY, trustStorePassword); } // Already validated in MetaStoreConf String trustStoreType = MetastoreConf.getVar(conf, ConfVars.DBACCESS_SSL_TRUSTSTORE_TYPE); - - System.setProperty(TRUSTSTORE_PATH_KEY, trustStorePath); - System.setProperty(TRUSTSTORE_PASSWORD_KEY, trustStorePassword); System.setProperty(TRUSTSTORE_TYPE_KEY, trustStoreType); } catch (IOException e) { throw new RuntimeException("Failed to set the SSL properties to connect to the database store.", e); diff --git standalone-metastore/metastore-server/src/test/java/org/apache/hadoop/hive/metastore/TestObjectStore.java standalone-metastore/metastore-server/src/test/java/org/apache/hadoop/hive/metastore/TestObjectStore.java index 29738ba19b..277c325ad2 100644 --- standalone-metastore/metastore-server/src/test/java/org/apache/hadoop/hive/metastore/TestObjectStore.java +++ standalone-metastore/metastore-server/src/test/java/org/apache/hadoop/hive/metastore/TestObjectStore.java @@ -1075,15 +1075,6 @@ public void testDeprecatedConfigIsOverwritten() { setAndCheckSSLProperties(true, "/tmp/truststore.jks", "password", "jks"); } - /** - * Ensure that an empty trustStore path in metastore.dbaccess.ssl.truststore.path (hive.metastore.dbaccess.ssl.truststore.path) - * throws an IllegalArgumentException. - */ - @Test(expected = IllegalArgumentException.class) - public void testEmptyTrustStorePath() { - setAndCheckSSLProperties(true, "", "password", "jks"); - } - /** * Helper method for setting and checking the SSL configuration parameters. */