[
https://issues.apache.org/jira/browse/HIVE-29606?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Venugopal Reddy K updated HIVE-29606:
-------------------------------------
Description:
*[Background]*
Currently, HiveServer2 supports explicit SSL include cipher suite
configurations. However, the Hive Metastore lacks specific properties to
explicitly include or restrict allowed SSL protocols and cipher suites.
To improve security posture and allow administrators to enforce modern
cryptographic standards (e.g., forcing TLS 1.2+ or specific high-strength
ciphers), we should introduce the following configuration properties to HMS.
1.{{{} hive.metastore.include.protocols{}}}: A comma-separated list of allowed
SSL/TLS protocols (e.g., {{{}TLSv1.2{}}}, {{{}TLSv1.3{}}}).
2. {{{}hive.metastore.include.ciphersuites{}}}: A colon-separated list of
allowed SSL cipher suites.(e.g.,
TLS_RSA_WITH_AES_256_GCM_SHA384:TLS_AES_256_GCM_SHA384)
These properties should be applied when the Metastore is started in SSL mode.
*[Proposal]*
1. Add {{hive.metastore.include.protocols}} and
{{{}hive.metastore.include.ciphersuites{}}}{{{{}}{}}} to the HMS.
2. Initialize with these configurations on SSL sockets.
was:
*[Background]*
Currently, HiveServer2 supports explicit SSL include cipher suite
configurations. However, the Hive Metastore lacks specific properties to
explicitly include or restrict allowed SSL protocols and cipher suites.
To improve security posture and allow administrators to enforce modern
cryptographic standards (e.g., forcing TLS 1.2+ or specific high-strength
ciphers), we should introduce the following configuration properties to HMS.
{{{}1. hive.metastore.include.protocols{}}}: A comma-separated list of allowed
SSL/TLS protocols (e.g., {{{}TLSv1.2{}}}, {{{}TLSv1.3{}}}).
{{{}2. hive.metastore.include.ciphersuites{}}}: A colon-separated list of
allowed SSL cipher suites.(e.g.,
TLS_RSA_WITH_AES_256_GCM_SHA384:TLS_AES_256_GCM_SHA384)
These properties should be applied when the Metastore is started in SSL mode.
*[Proposal]*
1. Add {{hive.metastore.include.protocols}} and
{{{}hive.metastore.include.ciphersuites{}}}{{{{}}{}}} to the HMS.
2. Initialize with these configurations on SSL sockets.
> Support SSL include protocols and cipher suites for Hive Metastore
> ------------------------------------------------------------------
>
> Key: HIVE-29606
> URL: https://issues.apache.org/jira/browse/HIVE-29606
> Project: Hive
> Issue Type: Bug
> Components: Metastore, Security, Standalone Metastore
> Reporter: Venugopal Reddy K
> Priority: Major
>
> *[Background]*
> Currently, HiveServer2 supports explicit SSL include cipher suite
> configurations. However, the Hive Metastore lacks specific properties to
> explicitly include or restrict allowed SSL protocols and cipher suites.
> To improve security posture and allow administrators to enforce modern
> cryptographic standards (e.g., forcing TLS 1.2+ or specific high-strength
> ciphers), we should introduce the following configuration properties to HMS.
> 1.{{{} hive.metastore.include.protocols{}}}: A comma-separated list of
> allowed SSL/TLS protocols (e.g., {{{}TLSv1.2{}}}, {{{}TLSv1.3{}}}).
> 2. {{{}hive.metastore.include.ciphersuites{}}}: A colon-separated list of
> allowed SSL cipher suites.(e.g.,
> TLS_RSA_WITH_AES_256_GCM_SHA384:TLS_AES_256_GCM_SHA384)
> These properties should be applied when the Metastore is started in SSL mode.
>
> *[Proposal]*
> 1. Add {{hive.metastore.include.protocols}} and
> {{{}hive.metastore.include.ciphersuites{}}}{{{{}}{}}} to the HMS.
> 2. Initialize with these configurations on SSL sockets.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
