VenuReddy2103 opened a new pull request, #4282: URL: https://github.com/apache/hive/pull/4282
### What changes were proposed in this pull request? Added a new property `storePasswordPath` to JDBC URL that point to the local JCE keystore file storing the password aliases. When an existing password property is present in URL, ignores to fetch that particular alias from local jceks(i.e., giving preference to existing password property). And if password property is not present in URL, fetches the password from local jceks file specified in `storePasswordPath` property. Hive JDBC can obtains the passwords with [Configuration.getPassword](https://hadoop.apache.org/docs/stable/api/org/apache/hadoop/conf/Configuration.html#getPassword-java.lang.String-) API to read the password from jceks file. JDBC URL would look like - `beeline -u "jdbc:hive2://kvr-host:10001/default;retries=5;ssl=true;sslTrustStore=/tmp/truststore.jks;transportMode=http;httpPath=cliservice;twoWay=true;sslKeyStore=/tmp/keystore.jks;**storePasswordPath=localjceks://file/tmp/client_creds.jceks;**"` ### Why are the changes needed? At present, we may have trustStorePassword, keyStorePassword, zooKeeperTruststorePassword, zooKeeperKeystorePassword passwords in the JDBC URL. Exposing these passwords in URL can be a security concern. We can hide all these passwords from JDBC URL when we protect these passwords in a local JCEKS keystore file and pass the JCEKS file path to URL instead. ### Does this PR introduce _any_ user-facing change? Optional `storePasswordPath` property is supported in JDBC URL. Existing `trustStorePassword, keyStorePassword, zooKeeperTruststorePassword, zooKeeperKeystorePassword` properties continue to exist and are supported in JDBC URL without any change in their behavior. When password(s) and storePasswordPath properties are present in URL, password(s) property is preferred. `storePasswordPath` property is effective only when password(s) property is not in JDBC URL. ### How was this patch tested? Tested manually -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
