Re: [PR] HIVE-28838: Remove sensitive jdbc properties from JdbcStorageHandler tables [hive]

Tue, 25 Mar 2025 18:55:01 -0700 


zhangbutao commented on code in PR #5709:
URL: https://github.com/apache/hive/pull/5709#discussion_r2013270251


##########
ql/src/java/org/apache/hadoop/hive/ql/plan/PlanUtils.java:
##########
@@ -1230,7 +1229,12 @@ public static Class<? extends AbstractSerDe> 
getDefaultSerDe() {
     return LazySimpleSerDe.class;
   }
 
-  private static final String[] FILTER_OUT_FROM_EXPLAIN = {TABLE_IS_CTAS};
+  private static final String[] FILTER_OUT_FROM_EXPLAIN = {
+          TABLE_IS_CTAS,
+          HIVE_SQL_JDBC_USERNAME,
+          HIVE_SQL_JDBC_PASSWORD,

Review Comment:
   > `describe formatted` / `show create table` also displays the password in 
plain text. I don't think it's covered here.
   
   Yes, This PR mainly focuses on removing sensitive information in `explain`. 
However, it does not handle the `show create table `for jdbc storage handler 
tables. Currently, sensitive information can still be seen in `show create 
table`.
   
   For example, if you create a mysql jdbc handler table in Hive, and then 
`show create table` to check its TBLPROPERTIES, you will still can see its 
password` "hive.sql.dbcp.password" = "passwd"`.
   ```
   CREATE EXTERNAL TABLE jdbc_mysql_table
   (
    id int
   )
   STORED BY 'org.apache.hive.storage.jdbc.JdbcStorageHandler'
   TBLPROPERTIES (
                   "hive.sql.database.type" = "MYSQL",
                   "hive.sql.jdbc.driver" = "com.mysql.jdbc.Driver",
                   "hive.sql.jdbc.url" = "jdbc:mysql://127.0.0.1:3306/testdb",
                   "hive.sql.dbcp.username" = "root",
                   "hive.sql.dbcp.password" = "passwd",
                   "hive.sql.table" = "testmysql"
   );
   ```
   
   `show create table`  is the main use case that I am focusing on. BTW, we 
will check which MySQL database this table belongs to through the JDBC URL 
(`hive.sql.jdbc.url)`. This is also the reason why I think the JDBC URL should 
be retained.
   



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: gitbox-unsubscr...@hive.apache.org

For queries about this service, please contact Infrastructure at:
us...@infra.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: gitbox-unsubscr...@hive.apache.org
For additional commands, e-mail: gitbox-h...@hive.apache.org

Reply via email to