Morio Ramdenbourg created HIVE-21083:
----------------------------------------
Summary: Remove the requirement to specify the truststore file
location when TLS to the database is turned on
Key: HIVE-21083
URL: https://issues.apache.org/jira/browse/HIVE-21083
Project: Hive
Issue Type: Improvement
Components: Metastore, Standalone Metastore
Affects Versions: 4.0.0
Reporter: Morio Ramdenbourg
Assignee: Morio Ramdenbourg
[ObjectStore.configureSSL|https://github.com/apache/hive/blob/master/standalone-metastore/metastore-server/src/main/java/org/apache/hadoop/hive/metastore/ObjectStore.java#L349-L382]
throws an exception if TLS to the database is turned on
(_metastore.dbaccess.ssl.use.SSL_) but a truststore file location
(_metastore.dbaccess.ssl.truststore.path_) is not specified.
However, according to the [JSSE (Java 8)
documentation|https://docs.oracle.com/javase/8/docs/technotes/guides/security/jsse/JSSERefGuide.html#InstallationAndCustomization],
the Java truststore file location system property (_javax.net.ssl.trustStore_)
defaults to using the "_jssecacerts_, if it exists. Otherwise, _cacerts_"
files. These are the default truststores that come with the Java installation
and contain a list of well-known certificate authorities.
One valid way of supplying certificates to trust is by appending to these
default files. In that case, no config changes (other than turning SSL on) are
necessary. We should support this case by changing the following logic to
remove the requirement for the truststore file location config property:
{code:java}
String trustStorePath = MetastoreConf.getVar(conf,
ConfVars.DBACCESS_SSL_TRUSTSTORE_PATH).trim();
if (trustStorePath.isEmpty()) {
throw new IllegalArgumentException("SSL to the database store has been
enabled but " +
ConfVars.DBACCESS_SSL_TRUSTSTORE_PATH.toString() + " is empty. "
+ "Set this property to enable SSL.");
}
{code}
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
