[
https://issues.apache.org/jira/browse/HIVE-27308?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17718937#comment-17718937
]
Venugopal Reddy K edited comment on HIVE-27308 at 5/3/23 1:38 PM:
------------------------------------------------------------------
[~leftyl] As part of this issue, i need to update cwiki page
[https://cwiki.apache.org/confluence/display/Hive/HiveServer2+Clients] Could
you please help me on how do i get edit access to cwiki.
was (Author: venureddy):
[~leftyl] As part of this issue, i need to update cwiki page
[Link|[https://cwiki.apache.org/confluence/display/Hive/HiveServer2+Clients].]
Could you please help me on how do i get edit access to cwiki.
> Exposing client keystore and truststore passwords in the JDBC URL can be a
> security concern
> -------------------------------------------------------------------------------------------
>
> Key: HIVE-27308
> URL: https://issues.apache.org/jira/browse/HIVE-27308
> Project: Hive
> Issue Type: Improvement
> Reporter: Venugopal Reddy K
> Assignee: Venugopal Reddy K
> Priority: Major
> Labels: pull-request-available
> Time Spent: 20m
> Remaining Estimate: 0h
>
> At present, we may have the following keystore and truststore passwords in
> the JDBC URL.
> # trustStorePassword
> # keyStorePassword
> # zooKeeperTruststorePassword
> # zooKeeperKeystorePassword
> Exposing these passwords in URL can be a security concern. Can hide all these
> passwords from JDBC URL when we protect these passwords in a local JCEKS
> keystore file and pass the JCEKS file to URL instead.
> 1. Leverage the hadoop credential provider
> [Link|https://hadoop.apache.org/docs/stable/hadoop-project-dist/hadoop-common/CredentialProviderAPI.html#Overview]
> Create aliases for these passwords in a local JCE keystore like below. Store
> all the passwords in the same JCEKS files.
> {{hadoop credential create *keyStorePassword* -value
> FDUxmzTxW15xWoaCk6GxLlaoHjnjV9H7iHqCIDxTwoq -provider
> localjceks://file/tmp/store/client_creds.jceks}}
> 2. Add a new option *storePasswordPath* to JDBC URL that point to the local
> JCE keystore file storing the password aliases. When the existing password
> option is present in URL, can ignore to fetch that particular alias from
> local jceks(i.e., giving preference to existing password option). And if
> password option is not present in URL, can fetch the password from local
> jceks.
> JDBC URL may look like:
> {{beeline -u
> "jdbc:hive2://kvr-host:10001/default;retries=5;ssl=true;sslTrustStore=/tmp/truststore.jks;transportMode=http;httpPath=cliservice;twoWay=true;sslKeyStore=/tmp/keystore.jks;{*}storePasswordPath=localjceks://file/tmp/client_creds.jceks;{*}"}}
> 3. Hive JDBC can fetch the passwords with
> [Configuration.getPassword|https://hadoop.apache.org/docs/stable/api/org/apache/hadoop/conf/Configuration.html#getPassword-java.lang.String-]
> API
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
