John Omernik created DRILL-3880:
-----------------------------------
Summary: sqlline does not allow for a password prompt - security
issue
Key: DRILL-3880
URL: https://issues.apache.org/jira/browse/DRILL-3880
Project: Apache Drill
Issue Type: Improvement
Components: Client - CLI
Affects Versions: 1.1.0
Reporter: John Omernik
Fix For: Future
When authentication is enabled in drill, and using sqlline, there is no way to
get the sqlline client to prompt for a password. The only option is to specify
the password at the command line (-n user -p password) or to log in and then
connect.
This is a security risk, in that now the .bash_history contains the user's
password, defeating accountability on the system. Hive and MYSQL both allow
for a -p flag with no value to trigger a prompt for the password that is not
logged by .bash_history.
One work around is to connect after starting sqlline, however, if the sqlline
command offers a way to specify the username/password, we should do it in a way
that doesn't violate security principles.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
