This is an automated email from the ASF dual-hosted git repository.

gsaihemanth pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/hive.git


The following commit(s) were added to refs/heads/master by this push:
     new 08137d78fd6 HIVE-27308: Avoid exposing client keystore and truststore 
passwords in the JDBC URL (#4282) (Venu Reddy, reviewed by Zhihua Deng and Sai 
Hemanth Gantasala)
08137d78fd6 is described below

commit 08137d78fd62eab91b917ac1732842444bd6fa3c
Author: Venu Reddy <[email protected]>
AuthorDate: Tue May 16 22:09:50 2023 +0530

    HIVE-27308: Avoid exposing client keystore and truststore passwords in the 
JDBC URL (#4282) (Venu Reddy, reviewed by Zhihua Deng and Sai Hemanth Gantasala)
---
 .../java/org/apache/hive/jdbc/HiveConnection.java  | 11 +++---
 jdbc/src/java/org/apache/hive/jdbc/Utils.java      | 39 ++++++++++++++++++++++
 .../hive/jdbc/ZooKeeperHiveClientHelper.java       |  6 ++--
 3 files changed, 47 insertions(+), 9 deletions(-)

diff --git a/jdbc/src/java/org/apache/hive/jdbc/HiveConnection.java 
b/jdbc/src/java/org/apache/hive/jdbc/HiveConnection.java
index 3865d7b530c..21c6feea50f 100644
--- a/jdbc/src/java/org/apache/hive/jdbc/HiveConnection.java
+++ b/jdbc/src/java/org/apache/hive/jdbc/HiveConnection.java
@@ -778,8 +778,7 @@ public class HiveConnection implements java.sql.Connection {
     if (useSsl) {
       String useTwoWaySSL = 
sessConfMap.get(JdbcConnectionParams.USE_TWO_WAY_SSL);
       String sslTrustStorePath = 
sessConfMap.get(JdbcConnectionParams.SSL_TRUST_STORE);
-      String sslTrustStorePassword = sessConfMap.get(
-        JdbcConnectionParams.SSL_TRUST_STORE_PASSWORD);
+      String sslTrustStorePassword = Utils.getPassword(sessConfMap, 
JdbcConnectionParams.SSL_TRUST_STORE_PASSWORD);
       KeyStore sslTrustStore;
       SSLConnectionSocketFactory socketFactory;
       SSLContext sslContext;
@@ -893,8 +892,7 @@ public class HiveConnection implements java.sql.Connection {
     if (isSslConnection()) {
       // get SSL socket
       String sslTrustStore = 
sessConfMap.get(JdbcConnectionParams.SSL_TRUST_STORE);
-      String sslTrustStorePassword = sessConfMap.get(
-        JdbcConnectionParams.SSL_TRUST_STORE_PASSWORD);
+      String sslTrustStorePassword = Utils.getPassword(sessConfMap, 
JdbcConnectionParams.SSL_TRUST_STORE_PASSWORD);
 
       if (sslTrustStore == null || sslTrustStore.isEmpty()) {
         transport = HiveAuthUtils.getSSLSocket(host, port, loginTimeout, 
maxMessageSize);
@@ -1007,7 +1005,7 @@ public class HiveConnection implements 
java.sql.Connection {
         JdbcConnectionParams.SUNX509_ALGORITHM_STRING,
         JdbcConnectionParams.SUNJSSE_ALGORITHM_STRING);
       String keyStorePath = 
sessConfMap.get(JdbcConnectionParams.SSL_KEY_STORE);
-      String keyStorePassword = 
sessConfMap.get(JdbcConnectionParams.SSL_KEY_STORE_PASSWORD);
+      String keyStorePassword = Utils.getPassword(sessConfMap, 
JdbcConnectionParams.SSL_KEY_STORE_PASSWORD);
       KeyStore sslKeyStore = 
KeyStore.getInstance(JdbcConnectionParams.SSL_KEY_STORE_TYPE);
 
       if (keyStorePath == null || keyStorePath.isEmpty()) {
@@ -1022,8 +1020,7 @@ public class HiveConnection implements 
java.sql.Connection {
       TrustManagerFactory trustManagerFactory = 
TrustManagerFactory.getInstance(
         JdbcConnectionParams.SUNX509_ALGORITHM_STRING);
       String trustStorePath = 
sessConfMap.get(JdbcConnectionParams.SSL_TRUST_STORE);
-      String trustStorePassword = sessConfMap.get(
-        JdbcConnectionParams.SSL_TRUST_STORE_PASSWORD);
+      String trustStorePassword = Utils.getPassword(sessConfMap, 
JdbcConnectionParams.SSL_TRUST_STORE_PASSWORD);
       String trustStoreType = 
sessConfMap.get(JdbcConnectionParams.SSL_TRUST_STORE_TYPE);
       if (trustStoreType == null || trustStoreType.isEmpty()) {
         trustStoreType = KeyStore.getDefaultType();
diff --git a/jdbc/src/java/org/apache/hive/jdbc/Utils.java 
b/jdbc/src/java/org/apache/hive/jdbc/Utils.java
index 765f9bde725..e6f07032e92 100644
--- a/jdbc/src/java/org/apache/hive/jdbc/Utils.java
+++ b/jdbc/src/java/org/apache/hive/jdbc/Utils.java
@@ -18,6 +18,7 @@
 
 package org.apache.hive.jdbc;
 
+import java.io.IOException;
 import java.net.InetAddress;
 import java.net.URI;
 import java.net.UnknownHostException;
@@ -31,6 +32,7 @@ import java.util.Properties;
 import java.util.regex.Matcher;
 import java.util.regex.Pattern;
 
+import org.apache.hadoop.conf.Configuration;
 import org.apache.hadoop.hive.conf.HiveConf;
 import org.apache.hive.service.cli.HiveSQLException;
 import org.apache.hive.service.rpc.thrift.TStatus;
@@ -188,6 +190,8 @@ public class Utils {
     static final String SUNJSSE_ALGORITHM_STRING = "SunJSSE";
    // --------------- End 2 way ssl options ----------------------------
 
+    static final String SSL_STORE_PASSWORD_PATH = "storePasswordPath";
+
     private static final String HIVE_VAR_PREFIX = "hivevar:";
     public static final String HIVE_CONF_PREFIX = "hiveconf:";
     private String host = null;
@@ -803,4 +807,39 @@ public class Utils {
     }
   }
 
+  /**
+   * Method to get the password from the credential provider
+   * @param providerPath provider path
+   * @param key alias name
+   * @return password
+   */
+  private static String getPasswordFromCredentialProvider(String providerPath, 
String key) {
+    try {
+      if (providerPath != null) {
+        Configuration conf = new Configuration();
+        conf.set("hadoop.security.credential.provider.path", providerPath);
+        char[] password = conf.getPassword(key);
+        if (password != null) {
+          return new String(password);
+        }
+      }
+    } catch(IOException exception) {
+      LOG.warn("Could not retrieve password for " + key, exception);
+    }
+    return null;
+  }
+
+  /**
+   * Method to get the password from the configuration map if available. 
Otherwise, get it from the credential provider
+   * @param confMap configuration map
+   * @param key param
+   * @return password
+   */
+  public static String getPassword(Map<String, String> confMap, String key) {
+    String password = confMap.get(key);
+    if (password == null) {
+      password = 
getPasswordFromCredentialProvider(confMap.get(JdbcConnectionParams.SSL_STORE_PASSWORD_PATH),
 key);
+    }
+    return password;
+  }
 }
diff --git a/jdbc/src/java/org/apache/hive/jdbc/ZooKeeperHiveClientHelper.java 
b/jdbc/src/java/org/apache/hive/jdbc/ZooKeeperHiveClientHelper.java
index 3d89fa223a4..70091343430 100644
--- a/jdbc/src/java/org/apache/hive/jdbc/ZooKeeperHiveClientHelper.java
+++ b/jdbc/src/java/org/apache/hive/jdbc/ZooKeeperHiveClientHelper.java
@@ -101,11 +101,13 @@ class ZooKeeperHiveClientHelper {
       connParams.setZookeeperKeyStoreLocation(
           
StringUtils.defaultString(sessionConf.get(JdbcConnectionParams.ZOOKEEPER_KEYSTORE_LOCATION),
 ""));
       connParams.setZookeeperKeyStorePassword(
-          
StringUtils.defaultString(sessionConf.get(JdbcConnectionParams.ZOOKEEPER_KEYSTORE_PASSWORD),
 ""));
+          StringUtils.defaultString(Utils.getPassword(sessionConf, 
JdbcConnectionParams.ZOOKEEPER_KEYSTORE_PASSWORD),
+              ""));
       connParams.setZookeeperTrustStoreLocation(
           
StringUtils.defaultString(sessionConf.get(JdbcConnectionParams.ZOOKEEPER_TRUSTSTORE_LOCATION),
 ""));
       connParams.setZookeeperTrustStorePassword(
-          
StringUtils.defaultString(sessionConf.get(JdbcConnectionParams.ZOOKEEPER_TRUSTSTORE_PASSWORD),
 ""));
+          StringUtils.defaultString(Utils.getPassword(sessionConf, 
JdbcConnectionParams.ZOOKEEPER_TRUSTSTORE_PASSWORD),
+              ""));
     }
   }
 

Reply via email to