[
https://issues.apache.org/jira/browse/IMPALA-12380?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17789904#comment-17789904
]
Wenzhe Zhou edited comment on IMPALA-12380 at 12/4/23 6:11 PM:
---------------------------------------------------------------
Table property "dbcp.password" is jdbc password in clear text. This parameter
is strongly discouraged. The recommended way is to store the password in a Java
keystore file. See the section “securing password” in
https://cwiki.apache.org/confluence/display/Hive/JDBC+Storage+Handler#JDBCStorageHandler-SecuringPassword.
We need to protect the keystore file by only authorize targeted user to read
this file using authorizer (such as Ranger). Impala will check the permission
of the keystore file to make sure user has read permission of it.
Hive code reference:
https://github.com/apache/hive/blob/master/jdbc-handler/src/main/java/org/apache/hive/storage/jdbc/conf/JdbcStorageConfigManager.java#L85-L111
https://github.com/apache/hive/blob/master/ql/src/java/org/apache/hadoop/hive/ql/exec/Utilities.java#L4984-L5010
Hadopp CredentialProvider API:
https://hadoop.apache.org/docs/current/hadoop-project-dist/hadoop-common/CredentialProviderAPI.html
was (Author: wzhou):
Table property "dbcp.password" is jdbc password in clear text. This parameter
is strongly discouraged. The recommended way is to store the password in a Java
keystore file. See the section “securing password” in
https://cwiki.apache.org/confluence/display/Hive/JDBC+Storage+Handler#JDBCStorageHandler-SecuringPassword.
We need to protect the keystore file by only authorize targeted user to read
this file using authorizer (such as Ranger). Impala will check the permission
of the keystore file to make sure user has read permission of it.
Hive code reference:
https://github.com/apache/hive/blob/master/jdbc-handler/src/main/java/org/apache/hive/storage/jdbc/conf/JdbcStorageConfigManager.java#L85-L111
https://github.com/apache/hive/blob/master/ql/src/java/org/apache/hadoop/hive/ql/exec/Utilities.java#L4984-L5010
> Securing dbcp.password for JDBC external data source
> ----------------------------------------------------
>
> Key: IMPALA-12380
> URL: https://issues.apache.org/jira/browse/IMPALA-12380
> Project: IMPALA
> Issue Type: Sub-task
> Reporter: Wenzhe Zhou
> Assignee: gaurav singh
> Priority: Major
>
> In the first patch of JDBC external data source
> (https://gerrit.cloudera.org/#/c/17842/)
> "dbcp.password" is provided as clear text in the table property. We should
> allow user to store password in a Java keystore file on HDFS and protect the
> keystore file for the authorized users.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
