This is an automated email from the ASF dual-hosted git repository.
gsaihemanth pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/hive.git
The following commit(s) were added to refs/heads/master by this push:
new 08137d78fd6 HIVE-27308: Avoid exposing client keystore and truststore
passwords in the JDBC URL (#4282) (Venu Reddy, reviewed by Zhihua Deng and Sai
Hemanth Gantasala)
08137d78fd6 is described below
commit 08137d78fd62eab91b917ac1732842444bd6fa3c
Author: Venu Reddy <[email protected]>
AuthorDate: Tue May 16 22:09:50 2023 +0530
HIVE-27308: Avoid exposing client keystore and truststore passwords in the
JDBC URL (#4282) (Venu Reddy, reviewed by Zhihua Deng and Sai Hemanth Gantasala)
---
.../java/org/apache/hive/jdbc/HiveConnection.java | 11 +++---
jdbc/src/java/org/apache/hive/jdbc/Utils.java | 39 ++++++++++++++++++++++
.../hive/jdbc/ZooKeeperHiveClientHelper.java | 6 ++--
3 files changed, 47 insertions(+), 9 deletions(-)
diff --git a/jdbc/src/java/org/apache/hive/jdbc/HiveConnection.java
b/jdbc/src/java/org/apache/hive/jdbc/HiveConnection.java
index 3865d7b530c..21c6feea50f 100644
--- a/jdbc/src/java/org/apache/hive/jdbc/HiveConnection.java
+++ b/jdbc/src/java/org/apache/hive/jdbc/HiveConnection.java
@@ -778,8 +778,7 @@ public class HiveConnection implements java.sql.Connection {
if (useSsl) {
String useTwoWaySSL =
sessConfMap.get(JdbcConnectionParams.USE_TWO_WAY_SSL);
String sslTrustStorePath =
sessConfMap.get(JdbcConnectionParams.SSL_TRUST_STORE);
- String sslTrustStorePassword = sessConfMap.get(
- JdbcConnectionParams.SSL_TRUST_STORE_PASSWORD);
+ String sslTrustStorePassword = Utils.getPassword(sessConfMap,
JdbcConnectionParams.SSL_TRUST_STORE_PASSWORD);
KeyStore sslTrustStore;
SSLConnectionSocketFactory socketFactory;
SSLContext sslContext;
@@ -893,8 +892,7 @@ public class HiveConnection implements java.sql.Connection {
if (isSslConnection()) {
// get SSL socket
String sslTrustStore =
sessConfMap.get(JdbcConnectionParams.SSL_TRUST_STORE);
- String sslTrustStorePassword = sessConfMap.get(
- JdbcConnectionParams.SSL_TRUST_STORE_PASSWORD);
+ String sslTrustStorePassword = Utils.getPassword(sessConfMap,
JdbcConnectionParams.SSL_TRUST_STORE_PASSWORD);
if (sslTrustStore == null || sslTrustStore.isEmpty()) {
transport = HiveAuthUtils.getSSLSocket(host, port, loginTimeout,
maxMessageSize);
@@ -1007,7 +1005,7 @@ public class HiveConnection implements
java.sql.Connection {
JdbcConnectionParams.SUNX509_ALGORITHM_STRING,
JdbcConnectionParams.SUNJSSE_ALGORITHM_STRING);
String keyStorePath =
sessConfMap.get(JdbcConnectionParams.SSL_KEY_STORE);
- String keyStorePassword =
sessConfMap.get(JdbcConnectionParams.SSL_KEY_STORE_PASSWORD);
+ String keyStorePassword = Utils.getPassword(sessConfMap,
JdbcConnectionParams.SSL_KEY_STORE_PASSWORD);
KeyStore sslKeyStore =
KeyStore.getInstance(JdbcConnectionParams.SSL_KEY_STORE_TYPE);
if (keyStorePath == null || keyStorePath.isEmpty()) {
@@ -1022,8 +1020,7 @@ public class HiveConnection implements
java.sql.Connection {
TrustManagerFactory trustManagerFactory =
TrustManagerFactory.getInstance(
JdbcConnectionParams.SUNX509_ALGORITHM_STRING);
String trustStorePath =
sessConfMap.get(JdbcConnectionParams.SSL_TRUST_STORE);
- String trustStorePassword = sessConfMap.get(
- JdbcConnectionParams.SSL_TRUST_STORE_PASSWORD);
+ String trustStorePassword = Utils.getPassword(sessConfMap,
JdbcConnectionParams.SSL_TRUST_STORE_PASSWORD);
String trustStoreType =
sessConfMap.get(JdbcConnectionParams.SSL_TRUST_STORE_TYPE);
if (trustStoreType == null || trustStoreType.isEmpty()) {
trustStoreType = KeyStore.getDefaultType();
diff --git a/jdbc/src/java/org/apache/hive/jdbc/Utils.java
b/jdbc/src/java/org/apache/hive/jdbc/Utils.java
index 765f9bde725..e6f07032e92 100644
--- a/jdbc/src/java/org/apache/hive/jdbc/Utils.java
+++ b/jdbc/src/java/org/apache/hive/jdbc/Utils.java
@@ -18,6 +18,7 @@
package org.apache.hive.jdbc;
+import java.io.IOException;
import java.net.InetAddress;
import java.net.URI;
import java.net.UnknownHostException;
@@ -31,6 +32,7 @@ import java.util.Properties;
import java.util.regex.Matcher;
import java.util.regex.Pattern;
+import org.apache.hadoop.conf.Configuration;
import org.apache.hadoop.hive.conf.HiveConf;
import org.apache.hive.service.cli.HiveSQLException;
import org.apache.hive.service.rpc.thrift.TStatus;
@@ -188,6 +190,8 @@ public class Utils {
static final String SUNJSSE_ALGORITHM_STRING = "SunJSSE";
// --------------- End 2 way ssl options ----------------------------
+ static final String SSL_STORE_PASSWORD_PATH = "storePasswordPath";
+
private static final String HIVE_VAR_PREFIX = "hivevar:";
public static final String HIVE_CONF_PREFIX = "hiveconf:";
private String host = null;
@@ -803,4 +807,39 @@ public class Utils {
}
}
+ /**
+ * Method to get the password from the credential provider
+ * @param providerPath provider path
+ * @param key alias name
+ * @return password
+ */
+ private static String getPasswordFromCredentialProvider(String providerPath,
String key) {
+ try {
+ if (providerPath != null) {
+ Configuration conf = new Configuration();
+ conf.set("hadoop.security.credential.provider.path", providerPath);
+ char[] password = conf.getPassword(key);
+ if (password != null) {
+ return new String(password);
+ }
+ }
+ } catch(IOException exception) {
+ LOG.warn("Could not retrieve password for " + key, exception);
+ }
+ return null;
+ }
+
+ /**
+ * Method to get the password from the configuration map if available.
Otherwise, get it from the credential provider
+ * @param confMap configuration map
+ * @param key param
+ * @return password
+ */
+ public static String getPassword(Map<String, String> confMap, String key) {
+ String password = confMap.get(key);
+ if (password == null) {
+ password =
getPasswordFromCredentialProvider(confMap.get(JdbcConnectionParams.SSL_STORE_PASSWORD_PATH),
key);
+ }
+ return password;
+ }
}
diff --git a/jdbc/src/java/org/apache/hive/jdbc/ZooKeeperHiveClientHelper.java
b/jdbc/src/java/org/apache/hive/jdbc/ZooKeeperHiveClientHelper.java
index 3d89fa223a4..70091343430 100644
--- a/jdbc/src/java/org/apache/hive/jdbc/ZooKeeperHiveClientHelper.java
+++ b/jdbc/src/java/org/apache/hive/jdbc/ZooKeeperHiveClientHelper.java
@@ -101,11 +101,13 @@ class ZooKeeperHiveClientHelper {
connParams.setZookeeperKeyStoreLocation(
StringUtils.defaultString(sessionConf.get(JdbcConnectionParams.ZOOKEEPER_KEYSTORE_LOCATION),
""));
connParams.setZookeeperKeyStorePassword(
-
StringUtils.defaultString(sessionConf.get(JdbcConnectionParams.ZOOKEEPER_KEYSTORE_PASSWORD),
""));
+ StringUtils.defaultString(Utils.getPassword(sessionConf,
JdbcConnectionParams.ZOOKEEPER_KEYSTORE_PASSWORD),
+ ""));
connParams.setZookeeperTrustStoreLocation(
StringUtils.defaultString(sessionConf.get(JdbcConnectionParams.ZOOKEEPER_TRUSTSTORE_LOCATION),
""));
connParams.setZookeeperTrustStorePassword(
-
StringUtils.defaultString(sessionConf.get(JdbcConnectionParams.ZOOKEEPER_TRUSTSTORE_PASSWORD),
""));
+ StringUtils.defaultString(Utils.getPassword(sessionConf,
JdbcConnectionParams.ZOOKEEPER_TRUSTSTORE_PASSWORD),
+ ""));
}
}
