Morio Ramdenbourg created HIVE-21047:
----------------------------------------
Summary: Read the HMS backend database password and truststore
password during PersistenceManagerFactory initialization time
Key: HIVE-21047
URL: https://issues.apache.org/jira/browse/HIVE-21047
Project: Hive
Issue Type: Improvement
Components: Standalone Metastore
Affects Versions: 4.0.0
Reporter: Morio Ramdenbourg
This was pointed out by [~vihangk1] as part of the review for
[HIVE-20992|https://issues.apache.org/jira/browse/HIVE-20992].
As part of the redaction of the _javax.jdo.option.ConnectionPassword_ and
_metastore.dbaccess.ssl.truststore.password_ properties, they both use the
[Hadoop Credential Provider
API|https://hadoop.apache.org/docs/r3.1.1/hadoop-project-dist/hadoop-common/CredentialProviderAPI.html]
to prevent the passwords from being stored in plain text.
However, these are both being read in during every new database connection
initialization in
[setConf()|https://github.com/apache/hive/blob/master/standalone-metastore/metastore-server/src/main/java/org/apache/hadoop/hive/metastore/ObjectStore.java#L198-L247]
in ObjectStore, thereby calling the expensive decrypt every time despite these
values almost never changing.
We should instead move these reads into the PersistenceManagerFactory
[initPMF()|https://github.com/apache/hive/blob/master/standalone-metastore/metastore-server/src/main/java/org/apache/hadoop/hive/metastore/PersistenceManagerProvider.java#L227-L273]
method and cache their values so they are only read once when the HMS starts.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
