Re: [PR] HIVE-29606: Support SSL include protocols and cipher suites for Hive Metastore [hive]

Wed, 13 May 2026 00:50:58 -0700 


VenuReddy2103 commented on code in PR #6476:
URL: https://github.com/apache/hive/pull/6476#discussion_r3232437774


##########
standalone-metastore/metastore-common/src/main/java/org/apache/hadoop/hive/metastore/utils/SecurityUtils.java:
##########
@@ -319,18 +341,23 @@ public static TServerSocket getServerSSLSocket(String 
hiveHost, int portNum, Str
 
   public static TTransport getSSLSocket(String host, int port, int 
socketTimeout, int connectionTimeout,
       String trustStorePath, String trustStorePassWord, String trustStoreType,
-      String trustStoreAlgorithm) throws TTransportException {
-    TSSLTransportFactory.TSSLTransportParameters params =
-        new TSSLTransportFactory.TSSLTransportParameters();
-    String tStoreType = trustStoreType.isEmpty()? KeyStore.getDefaultType() : 
trustStoreType;
-    String tStoreAlgorithm = trustStoreAlgorithm.isEmpty()?
-        TrustManagerFactory.getDefaultAlgorithm() : trustStoreAlgorithm;
-    params.setTrustStore(trustStorePath, trustStorePassWord,
-        tStoreAlgorithm, tStoreType);
-    params.requireClientAuth(true);
+      String trustStoreAlgorithm, String[] includeProtocols, String[] 
cipherSuites) throws TTransportException {
+    TSSLTransportFactory.TSSLTransportParameters params = 
getSSLTransportParameters(false,
+        trustStorePath, trustStorePassWord,
+        trustStoreAlgorithm.isEmpty() ? 
TrustManagerFactory.getDefaultAlgorithm() : trustStoreAlgorithm,
+        trustStoreType.isEmpty() ? KeyStore.getDefaultType() : trustStoreType,
+        cipherSuites);
     // The underlying SSLSocket object is bound to host:port with the given 
SO_TIMEOUT and
     // connection timeout and SSLContext created with the given params
     TSocket tSSLSocket = TSSLTransportFactory.getClientSocket(host, port, 
socketTimeout, params);
+    if (includeProtocols.length > 0) {
+      SSLSocket sslSocket = (SSLSocket) (tSSLSocket.getSocket());
+      Set<String> includeProtocolsLowerCase = 
Arrays.stream(includeProtocols).map(String::toLowerCase)
+          .collect(Collectors.toSet());
+      String[] enabledProtocols = 
Arrays.stream(sslSocket.getSupportedProtocols())
+          .filter(protocol -> 
includeProtocolsLowerCase.contains(protocol.toLowerCase())).toArray(String[]::new);

Review Comment:
   done



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]


---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to