[jira] [Commented] (HIVE-16089) "trustStorePassword" is logged as part of jdbc connection url

Mon, 06 Mar 2017 09:21:11 -0800 

    [ 
https://issues.apache.org/jira/browse/HIVE-16089?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15897680#comment-15897680
 ] 

Sebastian Fröhlich commented on HIVE-16089:
-------------------------------------------

[~zsombor.klara],
Thank you for the information. This is helpful.
It would be great if you could bring the fix also down to Hive 1.1.x as a 
security fix. Not many commercial Hadoop vendors using Hive 1.2.1 in their 
commercial Hadoop distributions. So the upgrade to Hive 1.2.1+ is not a real 
option for us.
But maybe this issue will be fixed separately in the impacted commercial 
distributed Hive versions.

> "trustStorePassword" is logged as part of jdbc connection url
> -------------------------------------------------------------
>
>                 Key: HIVE-16089
>                 URL: https://issues.apache.org/jira/browse/HIVE-16089
>             Project: Hive
>          Issue Type: Bug
>          Components: JDBC
>    Affects Versions: 1.1.0
>            Reporter: Sebastian Fröhlich
>              Labels: security
>
> h5. General Story
> The use case is to connect via the Apache Hive JDBC driver to a Hive where 
> SSL encryption is enabled.
> It was required to set the ssl-trust store password property 
> {{trustStorePassword}} in the jdbc connection url.
> If the property is passed via "properties" parameter into 
> {{Driver.connect(url, properties)}} this will not recognized.
> h5. Log message
> {code}
> 2017-03-03 09:57:58,385 [INFO] [InputInitializer {Map for sheets:[import] 
> (fce7cd11-d489-4a13-a3a9-4c81d2907c87)} #0] 
> |jdbc.Utils|: Resolved authority: <hostname>:<port>
> 2017-03-03 09:57:58,539 [INFO] [InputInitializer {Map for sheets:[import] 
> (fce7cd11-d489-4a13-a3a9-4c81d2907c87)} #0] |jdbc.HiveConnection|: Will try 
> to open client transport with JDBC Uri: 
> jdbc:hive2://<hostname>:<port>/;ssl=true;sslTrustStore=/tmp/hs2keystore.jks;trustStorePassword=<password>
> {code}
> E.g. produced by code {{org.apache.hive.jdbc.HiveConnection#openTransport()}}
> h5. Suggested Behavior
> The property {{trustStorePassword}} could be part of the "properties" 
> parameter. This way the password is not part of the JDBC connection url.
> h5. Acceptance Criteria
> The ssl trust store password should not be logged as part of the JDBC 
> connection string.
> Support the trust store password via the properties parameter within connect.



--
This message was sent by Atlassian JIRA
(v6.3.15#6346)

Reply via email to