Re: Review Request 69534: HIVE-20992: Split the property "hive.metastore.dbaccess.ssl.properties" into more coherent and user-friendly properties.

Thu, 13 Dec 2018 17:26:18 -0800 

-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/69534/
-----------------------------------------------------------

(Updated Dec. 14, 2018, 1:25 a.m.)


Review request for hive, Adam Holley, Karthik Manamcheri, Peter Vary, and 
Vihang Karajgaonkar.


Bugs: HIVE-20992
    https://issues.apache.org/jira/browse/HIVE-20992


Repository: hive-git


Description
-------

The following new properties were added:

1. metastore.dbaccess.use.SSL (hive.metastore.dbaccess.use.SSL)
2. javax.net.ssl.trustStore
3. javax.net.ssl.trustStorePassword
4. javax.net.ssl.trustStoreType

This was in an effort to guide the user towards an easier SSL
configuration experience. This is the minimum requirement to set up SSL
encryption to the HMS backend store.

This also solves the issue of the truststore password being stored in
plain text. It can now be encrypted by default and loaded through the
MetastoreConf.getPassword() method which handles secure password access

The property "hive.metastore.dbaccess.ssl.properties" is now
deprecated, but it will still be kept for backwards-compatibility purposes.

Modified comments to clearly reflect what is / is not deprecated


Diffs
-----

  
standalone-metastore/metastore-common/src/main/java/org/apache/hadoop/hive/metastore/conf/MetastoreConf.java
 e25a8cf9a19d78c0cc00bb2e5e0abee4d851ad98 
  
standalone-metastore/metastore-server/src/main/java/org/apache/hadoop/hive/metastore/ObjectStore.java
 e598a43e4dc2d2a2c25886ae7cbafd29b47c1f24 
  
standalone-metastore/metastore-server/src/test/java/org/apache/hadoop/hive/metastore/TestObjectStore.java
 0cf113c927f2274d085e07cd72921fb35227e1f3 


Diff: https://reviews.apache.org/r/69534/diff/4/


Testing (updated)
-------

Tests:
1. Unit tests were added to cover the functionality of configuring the Java 
system properties.
2. Performed some manual and sanity tests to ensure that SSL was still 
configurable to a remote DB. I performed these on MySQL, PostgreSQL, Oracle, 
and Derby DB by creating generic DB hosts and setting them up with SSL. Once 
SSL was set up, I triggered the metastore to perform database calls, and 
captured packets using tcpdump. I then uploaded my packet captures to 
Wireshark, and ensured that none of the data was human-readable.


Thanks,

Morio Ramdenbourg

Reply via email to