[ https://issues.apache.org/jira/browse/HIVE-20992?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Morio Ramdenbourg reassigned HIVE-20992: ---------------------------------------- > Split the config "hive.metastore.dbaccess.ssl.properties" into more > meaningful configs > -------------------------------------------------------------------------------------- > > Key: HIVE-20992 > URL: https://issues.apache.org/jira/browse/HIVE-20992 > Project: Hive > Issue Type: Improvement > Components: Metastore, Security, Standalone Metastore > Affects Versions: 4.0.0 > Reporter: Morio Ramdenbourg > Assignee: Morio Ramdenbourg > Priority: Minor > Original Estimate: 168h > Remaining Estimate: 168h > > HIVE-13044 brought in the ability to enable TLS encryption from the HMS > Service to the HMSDB by configuring the following two properties: > # _javax.jdo.option.ConnectionURL_: JDBC connect string for a JDBC > metastore. To use SSL to encrypt/authenticate the connection, provide > database-specific SSL flag in the connection URL. (E.g. > "jdbc:postgresql://myhost/db?ssl=true") > # _hive.metastore.dbaccess.ssl.properties_: Comma-separated SSL properties > for metastore to access database when JDO connection URL. (E.g. > javax.net.ssl.trustStore=/tmp/truststore,javax.net.ssl.trustStorePassword=pwd) > However, the latter configuration option is opaque and poses some problems. > The most glaring of which is it takes in _any_ > [java.lang.System|https://docs.oracle.com/javase/7/docs/api/java/lang/System.html] > system property, whether it is > [TLS-related|https://docs.oracle.com/javase/8/docs/technotes/guides/security/jsse/JSSERefGuide.html#InstallationAndCustomization] > or not. This can cause some unintended side-effects for other components of > the HMS, especially if it overrides an already-set system property. If the > user truly wishes to add an unrelated Java property, setting it statically > using the "-D" option of the _java_ command is more appropriate. > I propose we split _hive.metastore.dbaccess.ssl.properties_ into the > following properties: > * *_hive.metastore.dbaccess.ssl.use.SSL_* - Set this to true to use TLS > encryption from the HMS Service to the HMSDB > * *_hive.metastore.dbaccess.ssl.truststore.path_* - TLS truststore file > location > * *_hive.metastore.dbaccess.ssl.truststore.password_* - Password of the > truststore file > We should guide the user towards an easier TLS configuration experience. This > is the minimum requirement to configure TLS to the HMSDB. If we need other > options, such as the keystore location/password for dual-authentication, then > we can add those on afterwards. > Also, document these changes - > [javax.jdo.option.ConnectionURL|https://cwiki.apache.org/confluence/display/Hive/Configuration+Properties#ConfigurationProperties-javax.jdo.option.ConnectionURL] > does not have up-to-date documentation, and these new parameters will need > documentation as well. > Note "TLS" refers to both SSL and TLS. TLS is simply the successor of SSL. -- This message was sent by Atlassian JIRA (v7.6.3#76005)