[
https://issues.apache.org/jira/browse/IMPALA-12380?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17789904#comment-17789904
]
Wenzhe Zhou edited comment on IMPALA-12380 at 12/4/23 7:18 PM:
---------------------------------------------------------------
Table property "dbcp.password" is jdbc password in clear text. This parameter
is strongly discouraged. The recommended way is to store the password in a Java
keystore file. See the section “securing password” in
https://cwiki.apache.org/confluence/display/Hive/JDBC+Storage+Handler#JDBCStorageHandler-SecuringPassword.
We need to protect the keystore file by only authorize targeted user to read
this file using authorizer (such as Ranger). Impala will check the permission
of the keystore file to make sure user has read permission of it.
Hive code reference:
https://github.com/apache/hive/blob/master/jdbc-handler/src/main/java/org/apache/hive/storage/jdbc/conf/JdbcStorageConfigManager.java#L85-L111
https://github.com/apache/hive/blob/master/ql/src/java/org/apache/hadoop/hive/ql/exec/Utilities.java#L4984-L5010
Use the Hadopp CredentialProvider API
(https://hadoop.apache.org/docs/current/hadoop-project-dist/hadoop-common/CredentialProviderAPI.html)
to create a jckes key and store the passwords on it and reference them in
Impala configuration flag variables (or environment variables). The keystore
will be stored on hdfs (or ozone or s3) so that it can be accessible for all
Impala coordinator nodes.
was (Author: wzhou):
Table property "dbcp.password" is jdbc password in clear text. This parameter
is strongly discouraged. The recommended way is to store the password in a Java
keystore file. See the section “securing password” in
https://cwiki.apache.org/confluence/display/Hive/JDBC+Storage+Handler#JDBCStorageHandler-SecuringPassword.
We need to protect the keystore file by only authorize targeted user to read
this file using authorizer (such as Ranger). Impala will check the permission
of the keystore file to make sure user has read permission of it.
Hive code reference:
https://github.com/apache/hive/blob/master/jdbc-handler/src/main/java/org/apache/hive/storage/jdbc/conf/JdbcStorageConfigManager.java#L85-L111
https://github.com/apache/hive/blob/master/ql/src/java/org/apache/hadoop/hive/ql/exec/Utilities.java#L4984-L5010
Hadopp CredentialProvider API:
https://hadoop.apache.org/docs/current/hadoop-project-dist/hadoop-common/CredentialProviderAPI.html
> Securing dbcp.password for JDBC external data source
> ----------------------------------------------------
>
> Key: IMPALA-12380
> URL: https://issues.apache.org/jira/browse/IMPALA-12380
> Project: IMPALA
> Issue Type: Sub-task
> Reporter: Wenzhe Zhou
> Assignee: gaurav singh
> Priority: Major
>
> In the first patch of JDBC external data source
> (https://gerrit.cloudera.org/#/c/17842/)
> "dbcp.password" is provided as clear text in the table property. We should
> allow user to store password in a Java keystore file on HDFS and protect the
> keystore file for the authorized users.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
