[jira] [Commented] (HIVE-11555) Beeline sends password in clear text if we miss -ssl=true flag in the connect string
[ https://issues.apache.org/jira/browse/HIVE-11555?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16017435#comment-16017435 ] Shawn Lavelle commented on HIVE-11555: -- I think ... plaintext passwords should *never* be sent across the wire > Beeline sends password in clear text if we miss -ssl=true flag in the connect > string > > > Key: HIVE-11555 > URL: https://issues.apache.org/jira/browse/HIVE-11555 > Project: Hive > Issue Type: Bug > Components: Beeline >Affects Versions: 1.2.0 >Reporter: bharath v >Assignee: Junjie Chen > > {code} > I used tcpdump to display the network traffic: > [root@fe01 ~]# beeline > Beeline version 0.13.1-cdh5.3.2 by Apache Hive > beeline> !connect jdbc:hive2://fe01.sectest.poc:1/default > Connecting to jdbc:hive2://fe01.sectest.poc:1/default > Enter username for jdbc:hive2://fe01.sectest.poc:1/default: tdaranyi > Enter password for jdbc:hive2://fe01.sectest.poc:1/default: * > (I entered "cleartext" as the password) > The tcpdump in a different window > tdara...@fe01.sectest.poc:~$ sudo tcpdump -n -X -i lo port 1 > tcpdump: verbose output suppressed, use -v or -vv for full protocol decode > listening on lo, link-type EN10MB (Ethernet), capture size 65535 bytes > (...) > 10:25:16.329974 IP 192.168.32.102.54322 > 192.168.32.102.ndmp: Flags [P.], > seq 11:35, ack 1, win 512, options [nop,nop,TS val 2412851969 ecr > 2412851969], length 24 > 0x: 4500 004c 3dd3 4000 4006 3abc c0a8 2066 E..L=.@.@.:f > 0x0010: c0a8 2066 d432 2710 714c 0edc b45c 9268 ...f.2'.qL...\.h > 0x0020: 8018 0200 c25b 0101 080a 8fd1 3301 .[3. > 0x0030: 8fd1 3301 0500 1300 7464 6172 616e ..3...tdaran > 0x0040: 7969 0063 6c65 6172 7465 7874 yi.cleartext > (...) > {code} > We rely on the user supplied configuration to decide whether to open an SSL > socket or a Plain one. Instead we can negotiate this information from the HS2 > and connect accordingly. -- This message was sent by Atlassian JIRA (v6.3.15#6346)
[jira] [Commented] (HIVE-11555) Beeline sends password in clear text if we miss -ssl=true flag in the connect string
[ https://issues.apache.org/jira/browse/HIVE-11555?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15411128#comment-15411128 ] Junjie Chen commented on HIVE-11555: Hi [~thejas][~bharathv] Not sure what need to be done here? But I tried to connect mysql without useSSL option, and it shows following: WARN: Establishing SSL connection without server's identity verification is not recommended. According to MySQL 5.5.45+, 5.6.26+ and 5.7.6+ requirements SSL connection must be established by default if explicit option isn't set. For compliance with existing applications not using SSL the verifyServerCertificate property is set to 'false'. You need either to explicitly disable SSL by setting useSSL=false, or set useSSL=true and provide truststore for server certificate verification. So I would propose to employ same policy like mysql. Are you OK with this? Or you were asking to build an secure way on http? like SASL? > Beeline sends password in clear text if we miss -ssl=true flag in the connect > string > > > Key: HIVE-11555 > URL: https://issues.apache.org/jira/browse/HIVE-11555 > Project: Hive > Issue Type: Bug > Components: Beeline >Affects Versions: 1.2.0 >Reporter: bharath v >Assignee: Junjie Chen > > {code} > I used tcpdump to display the network traffic: > [root@fe01 ~]# beeline > Beeline version 0.13.1-cdh5.3.2 by Apache Hive > beeline> !connect jdbc:hive2://fe01.sectest.poc:1/default > Connecting to jdbc:hive2://fe01.sectest.poc:1/default > Enter username for jdbc:hive2://fe01.sectest.poc:1/default: tdaranyi > Enter password for jdbc:hive2://fe01.sectest.poc:1/default: * > (I entered "cleartext" as the password) > The tcpdump in a different window > tdara...@fe01.sectest.poc:~$ sudo tcpdump -n -X -i lo port 1 > tcpdump: verbose output suppressed, use -v or -vv for full protocol decode > listening on lo, link-type EN10MB (Ethernet), capture size 65535 bytes > (...) > 10:25:16.329974 IP 192.168.32.102.54322 > 192.168.32.102.ndmp: Flags [P.], > seq 11:35, ack 1, win 512, options [nop,nop,TS val 2412851969 ecr > 2412851969], length 24 > 0x: 4500 004c 3dd3 4000 4006 3abc c0a8 2066 E..L=.@.@.:f > 0x0010: c0a8 2066 d432 2710 714c 0edc b45c 9268 ...f.2'.qL...\.h > 0x0020: 8018 0200 c25b 0101 080a 8fd1 3301 .[3. > 0x0030: 8fd1 3301 0500 1300 7464 6172 616e ..3...tdaran > 0x0040: 7969 0063 6c65 6172 7465 7874 yi.cleartext > (...) > {code} > We rely on the user supplied configuration to decide whether to open an SSL > socket or a Plain one. Instead we can negotiate this information from the HS2 > and connect accordingly. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (HIVE-11555) Beeline sends password in clear text if we miss -ssl=true flag in the connect string
[ https://issues.apache.org/jira/browse/HIVE-11555?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15405253#comment-15405253 ] Junjie Chen commented on HIVE-11555: It should be simple if the ssl option set to true by defualt. > Beeline sends password in clear text if we miss -ssl=true flag in the connect > string > > > Key: HIVE-11555 > URL: https://issues.apache.org/jira/browse/HIVE-11555 > Project: Hive > Issue Type: Bug > Components: Beeline >Affects Versions: 1.2.0 >Reporter: bharath v >Assignee: Junjie Chen > > {code} > I used tcpdump to display the network traffic: > [root@fe01 ~]# beeline > Beeline version 0.13.1-cdh5.3.2 by Apache Hive > beeline> !connect jdbc:hive2://fe01.sectest.poc:1/default > Connecting to jdbc:hive2://fe01.sectest.poc:1/default > Enter username for jdbc:hive2://fe01.sectest.poc:1/default: tdaranyi > Enter password for jdbc:hive2://fe01.sectest.poc:1/default: * > (I entered "cleartext" as the password) > The tcpdump in a different window > tdara...@fe01.sectest.poc:~$ sudo tcpdump -n -X -i lo port 1 > tcpdump: verbose output suppressed, use -v or -vv for full protocol decode > listening on lo, link-type EN10MB (Ethernet), capture size 65535 bytes > (...) > 10:25:16.329974 IP 192.168.32.102.54322 > 192.168.32.102.ndmp: Flags [P.], > seq 11:35, ack 1, win 512, options [nop,nop,TS val 2412851969 ecr > 2412851969], length 24 > 0x: 4500 004c 3dd3 4000 4006 3abc c0a8 2066 E..L=.@.@.:f > 0x0010: c0a8 2066 d432 2710 714c 0edc b45c 9268 ...f.2'.qL...\.h > 0x0020: 8018 0200 c25b 0101 080a 8fd1 3301 .[3. > 0x0030: 8fd1 3301 0500 1300 7464 6172 616e ..3...tdaran > 0x0040: 7969 0063 6c65 6172 7465 7874 yi.cleartext > (...) > {code} > We rely on the user supplied configuration to decide whether to open an SSL > socket or a Plain one. Instead we can negotiate this information from the HS2 > and connect accordingly. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (HIVE-11555) Beeline sends password in clear text if we miss -ssl=true flag in the connect string
[ https://issues.apache.org/jira/browse/HIVE-11555?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14700412#comment-14700412 ] Thejas M Nair commented on HIVE-11555: -- HIVE-11581 addresses this to an extent, but it is applicable only when zookeeper HA mode is enabled. > Beeline sends password in clear text if we miss -ssl=true flag in the connect > string > > > Key: HIVE-11555 > URL: https://issues.apache.org/jira/browse/HIVE-11555 > Project: Hive > Issue Type: Bug > Components: Beeline >Affects Versions: 1.2.0 >Reporter: bharath v > > {code} > I used tcpdump to display the network traffic: > [root@fe01 ~]# beeline > Beeline version 0.13.1-cdh5.3.2 by Apache Hive > beeline> !connect jdbc:hive2://fe01.sectest.poc:1/default > Connecting to jdbc:hive2://fe01.sectest.poc:1/default > Enter username for jdbc:hive2://fe01.sectest.poc:1/default: tdaranyi > Enter password for jdbc:hive2://fe01.sectest.poc:1/default: * > (I entered "cleartext" as the password) > The tcpdump in a different window > tdara...@fe01.sectest.poc:~$ sudo tcpdump -n -X -i lo port 1 > tcpdump: verbose output suppressed, use -v or -vv for full protocol decode > listening on lo, link-type EN10MB (Ethernet), capture size 65535 bytes > (...) > 10:25:16.329974 IP 192.168.32.102.54322 > 192.168.32.102.ndmp: Flags [P.], > seq 11:35, ack 1, win 512, options [nop,nop,TS val 2412851969 ecr > 2412851969], length 24 > 0x: 4500 004c 3dd3 4000 4006 3abc c0a8 2066 E..L=.@.@.:f > 0x0010: c0a8 2066 d432 2710 714c 0edc b45c 9268 ...f.2'.qL...\.h > 0x0020: 8018 0200 c25b 0101 080a 8fd1 3301 .[3. > 0x0030: 8fd1 3301 0500 1300 7464 6172 616e ..3...tdaran > 0x0040: 7969 0063 6c65 6172 7465 7874 yi.cleartext > (...) > {code} > We rely on the user supplied configuration to decide whether to open an SSL > socket or a Plain one. Instead we can negotiate this information from the HS2 > and connect accordingly. -- This message was sent by Atlassian JIRA (v6.3.4#6332)