HIVE-13044: Enable TLS encryption to HMS backend database (Reviewed by Chaoyu Tang, Yongzhi Chen)
Project: http://git-wip-us.apache.org/repos/asf/hive/repo Commit: http://git-wip-us.apache.org/repos/asf/hive/commit/4df2a013 Tree: http://git-wip-us.apache.org/repos/asf/hive/tree/4df2a013 Diff: http://git-wip-us.apache.org/repos/asf/hive/diff/4df2a013 Branch: refs/heads/llap Commit: 4df2a013fa49b48ab0dcc00dba4d20ebe8126700 Parents: a4d207f Author: Aihua Xu <aihu...@apache.org> Authored: Fri Feb 12 15:18:45 2016 -0500 Committer: Aihua Xu <aihu...@apache.org> Committed: Tue Feb 23 09:39:39 2016 -0500 ---------------------------------------------------------------------- .../org/apache/hadoop/hive/conf/HiveConf.java | 7 ++++++- .../hadoop/hive/metastore/ObjectStore.java | 21 ++++++++++++++++++++ 2 files changed, 27 insertions(+), 1 deletion(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/hive/blob/4df2a013/common/src/java/org/apache/hadoop/hive/conf/HiveConf.java ---------------------------------------------------------------------- diff --git a/common/src/java/org/apache/hadoop/hive/conf/HiveConf.java b/common/src/java/org/apache/hadoop/hive/conf/HiveConf.java index 48e8491..9cb626e 100644 --- a/common/src/java/org/apache/hadoop/hive/conf/HiveConf.java +++ b/common/src/java/org/apache/hadoop/hive/conf/HiveConf.java @@ -549,7 +549,12 @@ public class HiveConf extends Configuration { "Set this to true if multiple threads access metastore through JDO concurrently."), METASTORECONNECTURLKEY("javax.jdo.option.ConnectionURL", "jdbc:derby:;databaseName=metastore_db;create=true", - "JDBC connect string for a JDBC metastore"), + "JDBC connect string for a JDBC metastore.\n" + + "To use SSL to encrypt/authenticate the connection, provide database-specific SSL flag in the connection URL.\n" + + "For example, jdbc:postgresql://myhost/db?ssl=true for postgres database."), + METASTORE_DBACCESS_SSL_PROPS("hive.metastore.dbaccess.ssl.properties", "", + "Comma-separated SSL properties for metastore to access database when JDO connection URL\n" + + "enables SSL access. e.g. javax.net.ssl.trustStore=/tmp/truststore,javax.net.ssl.trustStorePassword=pwd."), HMSHANDLERATTEMPTS("hive.hmshandler.retry.attempts", 10, "The number of times to retry a HMSHandler call if there were a connection error."), HMSHANDLERINTERVAL("hive.hmshandler.retry.interval", "2000ms", http://git-wip-us.apache.org/repos/asf/hive/blob/4df2a013/metastore/src/java/org/apache/hadoop/hive/metastore/ObjectStore.java ---------------------------------------------------------------------- diff --git a/metastore/src/java/org/apache/hadoop/hive/metastore/ObjectStore.java b/metastore/src/java/org/apache/hadoop/hive/metastore/ObjectStore.java index 8d05f49..d4852b0 100644 --- a/metastore/src/java/org/apache/hadoop/hive/metastore/ObjectStore.java +++ b/metastore/src/java/org/apache/hadoop/hive/metastore/ObjectStore.java @@ -269,6 +269,7 @@ public class ObjectStore implements RawStore, Configurable { try { isInitialized = false; hiveConf = conf; + configureSSL(conf); Properties propsFromConf = getDataSourceProps(conf); boolean propsChanged = !propsFromConf.equals(prop); @@ -354,6 +355,25 @@ public class ObjectStore implements RawStore, Configurable { } } + /** + * Configure the SSL properties of the connection from provided config + * @param conf + */ + private static void configureSSL(Configuration conf) { + // SSL support + String sslPropString = conf.get(HiveConf.ConfVars.METASTORE_DBACCESS_SSL_PROPS.varname); + if (org.apache.commons.lang.StringUtils.isNotEmpty(sslPropString)) { + LOG.info("Metastore setting SSL properties of the connection to backed DB"); + for (String sslProp : sslPropString.split(",")) { + String[] pair = sslProp.trim().split("="); + if (pair != null && pair.length == 2) { + System.setProperty(pair[0].trim(), pair[1].trim()); + } else { + LOG.warn("Invalid metastore property value for " + HiveConf.ConfVars.METASTORE_DBACCESS_SSL_PROPS); + } + } + } + } /** * Properties specified in hive-default.xml override the properties specified @@ -393,6 +413,7 @@ public class ObjectStore implements RawStore, Configurable { } } } + return prop; }