[jira] [Comment Edited] (IMPALA-12380) Securing dbcp.password for JDBC external data source

Sun, 26 Nov 2023 20:40:07 -0800 


    [ 
https://issues.apache.org/jira/browse/IMPALA-12380?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17789904#comment-17789904
 ] 

Wenzhe Zhou edited comment on IMPALA-12380 at 11/27/23 4:39 AM:
----------------------------------------------------------------

Table property "dbcp.password" is jdbc password in clear text. This parameter 
is strongly discouraged. The recommended way is to store the password in a Java 
keystore file. See the section “securing password” in 
https://cwiki.apache.org/confluence/display/Hive/JDBC+Storage+Handler#JDBCStorageHandler-SecuringPassword.
We need to protect the keystore file by only authorize targeted user to read 
this file using authorizer (such as Ranger). Impala will check the permission 
of the keystore file to make sure user has read permission of it.
Hive code reference:
https://github.com/apache/hive/blob/master/jdbc-handler/src/main/java/org/apache/hive/storage/jdbc/conf/JdbcStorageConfigManager.java#L85-L111
https://github.com/apache/hive/blob/master/ql/src/java/org/apache/hadoop/hive/ql/exec/Utilities.java#L4984-L5010


was (Author: wzhou):
Table property "dbcp.password" is jdbc password in clear text. This parameter 
is strongly discouraged. The recommended way is to store the password in a Java 
keystore file. See the section “securing password” in 
https://cwiki.apache.org/confluence/display/Hive/JDBC+Storage+Handler#JDBCStorageHandler-SecuringPassword.
We need to protect the keystore file by only authorize targeted user to read 
this file using authorizer (such as Ranger). Impala will check the permission 
of the keystore file to make sure user has read permission of it.
Hive code reference: 
https://github.com/apache/hive/blob/master/jdbc-handler/src/main/java/org/apache/hive/storage/jdbc/conf/JdbcStorageConfigManager.java#L85-L111

> Securing dbcp.password for JDBC external data source
> ----------------------------------------------------
>
>                 Key: IMPALA-12380
>                 URL: https://issues.apache.org/jira/browse/IMPALA-12380
>             Project: IMPALA
>          Issue Type: Sub-task
>            Reporter: Wenzhe Zhou
>            Assignee: gaurav singh
>            Priority: Major
>
> In the first patch of JDBC external data source 
> (https://gerrit.cloudera.org/#/c/17842/) 
> "dbcp.password" is provided as clear text in the table property. We should 
> allow user to store password in a Java keystore file on HDFS and protect the 
> keystore file for the authorized users.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to