subject:"\[jira\] \[Commented\] \(HIVE\-11555\) Beeline sends password in clear text if we miss \-ssl=true flag in the connect string"

[jira] [Commented] (HIVE-11555) Beeline sends password in clear text if we miss -ssl=true flag in the connect string

2017-05-19 Thread Shawn Lavelle (JIRA)


[ 
https://issues.apache.org/jira/browse/HIVE-11555?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16017435#comment-16017435
 ] 

Shawn Lavelle commented on HIVE-11555:
--

I think ... plaintext passwords should *never* be sent across the wire

> Beeline sends password in clear text if we miss -ssl=true flag in the connect 
> string
> 
>
> Key: HIVE-11555
> URL: https://issues.apache.org/jira/browse/HIVE-11555
> Project: Hive
>  Issue Type: Bug
>  Components: Beeline
>Affects Versions: 1.2.0
>Reporter: bharath v
>Assignee: Junjie Chen
>
> {code}
> I used tcpdump to display the network traffic: 
> [root@fe01 ~]# beeline 
> Beeline version 0.13.1-cdh5.3.2 by Apache Hive 
> beeline> !connect jdbc:hive2://fe01.sectest.poc:1/default 
> Connecting to jdbc:hive2://fe01.sectest.poc:1/default 
> Enter username for jdbc:hive2://fe01.sectest.poc:1/default: tdaranyi 
> Enter password for jdbc:hive2://fe01.sectest.poc:1/default: * 
> (I entered "cleartext" as the password) 
> The tcpdump in a different window 
> tdara...@fe01.sectest.poc:~$ sudo tcpdump -n -X -i lo port 1 
> tcpdump: verbose output suppressed, use -v or -vv for full protocol decode 
> listening on lo, link-type EN10MB (Ethernet), capture size 65535 bytes 
> (...) 
> 10:25:16.329974 IP 192.168.32.102.54322 > 192.168.32.102.ndmp: Flags [P.], 
> seq 11:35, ack 1, win 512, options [nop,nop,TS val 2412851969 ecr 
> 2412851969], length 24 
> 0x: 4500 004c 3dd3 4000 4006 3abc c0a8 2066 E..L=.@.@.:f 
> 0x0010: c0a8 2066 d432 2710 714c 0edc b45c 9268 ...f.2'.qL...\.h 
> 0x0020: 8018 0200 c25b  0101 080a 8fd1 3301 .[3. 
> 0x0030: 8fd1 3301 0500  1300 7464 6172 616e ..3...tdaran 
> 0x0040: 7969 0063 6c65 6172 7465 7874 yi.cleartext 
> (...) 
> {code}
> We rely on the user supplied configuration to decide whether to open an SSL 
> socket or a Plain one. Instead we can negotiate this information from the HS2 
> and connect accordingly.



--
This message was sent by Atlassian JIRA
(v6.3.15#6346)

[jira] [Commented] (HIVE-11555) Beeline sends password in clear text if we miss -ssl=true flag in the connect string

2016-08-07 Thread Junjie Chen (JIRA)


[ 
https://issues.apache.org/jira/browse/HIVE-11555?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15411128#comment-15411128
 ] 

Junjie Chen commented on HIVE-11555:


Hi [~thejas][~bharathv]
Not sure what need to be done here? But I tried to connect mysql without useSSL 
option, and it shows following: 

WARN: Establishing SSL connection without server's identity verification is not 
recommended. According to MySQL 5.5.45+, 5.6.26+ and 5.7.6+ requirements SSL 
connection must be established by default if explicit option isn't set. For 
compliance with existing applications not using SSL the verifyServerCertificate 
property is set to 'false'. You need either to explicitly disable SSL by 
setting useSSL=false, or set useSSL=true and provide truststore for server 
certificate verification.

So I would propose to employ same policy like mysql. Are you OK with this? 

Or you were asking to build an secure way on http? like SASL?

> Beeline sends password in clear text if we miss -ssl=true flag in the connect 
> string
> 
>
> Key: HIVE-11555
> URL: https://issues.apache.org/jira/browse/HIVE-11555
> Project: Hive
>  Issue Type: Bug
>  Components: Beeline
>Affects Versions: 1.2.0
>Reporter: bharath v
>Assignee: Junjie Chen
>
> {code}
> I used tcpdump to display the network traffic: 
> [root@fe01 ~]# beeline 
> Beeline version 0.13.1-cdh5.3.2 by Apache Hive 
> beeline> !connect jdbc:hive2://fe01.sectest.poc:1/default 
> Connecting to jdbc:hive2://fe01.sectest.poc:1/default 
> Enter username for jdbc:hive2://fe01.sectest.poc:1/default: tdaranyi 
> Enter password for jdbc:hive2://fe01.sectest.poc:1/default: * 
> (I entered "cleartext" as the password) 
> The tcpdump in a different window 
> tdara...@fe01.sectest.poc:~$ sudo tcpdump -n -X -i lo port 1 
> tcpdump: verbose output suppressed, use -v or -vv for full protocol decode 
> listening on lo, link-type EN10MB (Ethernet), capture size 65535 bytes 
> (...) 
> 10:25:16.329974 IP 192.168.32.102.54322 > 192.168.32.102.ndmp: Flags [P.], 
> seq 11:35, ack 1, win 512, options [nop,nop,TS val 2412851969 ecr 
> 2412851969], length 24 
> 0x: 4500 004c 3dd3 4000 4006 3abc c0a8 2066 E..L=.@.@.:f 
> 0x0010: c0a8 2066 d432 2710 714c 0edc b45c 9268 ...f.2'.qL...\.h 
> 0x0020: 8018 0200 c25b  0101 080a 8fd1 3301 .[3. 
> 0x0030: 8fd1 3301 0500  1300 7464 6172 616e ..3...tdaran 
> 0x0040: 7969 0063 6c65 6172 7465 7874 yi.cleartext 
> (...) 
> {code}
> We rely on the user supplied configuration to decide whether to open an SSL 
> socket or a Plain one. Instead we can negotiate this information from the HS2 
> and connect accordingly.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Commented] (HIVE-11555) Beeline sends password in clear text if we miss -ssl=true flag in the connect string

2016-08-02 Thread Junjie Chen (JIRA)


[ 
https://issues.apache.org/jira/browse/HIVE-11555?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15405253#comment-15405253
 ] 

Junjie Chen commented on HIVE-11555:


It should be simple if the ssl option set to true by defualt.

> Beeline sends password in clear text if we miss -ssl=true flag in the connect 
> string
> 
>
> Key: HIVE-11555
> URL: https://issues.apache.org/jira/browse/HIVE-11555
> Project: Hive
>  Issue Type: Bug
>  Components: Beeline
>Affects Versions: 1.2.0
>Reporter: bharath v
>Assignee: Junjie Chen
>
> {code}
> I used tcpdump to display the network traffic: 
> [root@fe01 ~]# beeline 
> Beeline version 0.13.1-cdh5.3.2 by Apache Hive 
> beeline> !connect jdbc:hive2://fe01.sectest.poc:1/default 
> Connecting to jdbc:hive2://fe01.sectest.poc:1/default 
> Enter username for jdbc:hive2://fe01.sectest.poc:1/default: tdaranyi 
> Enter password for jdbc:hive2://fe01.sectest.poc:1/default: * 
> (I entered "cleartext" as the password) 
> The tcpdump in a different window 
> tdara...@fe01.sectest.poc:~$ sudo tcpdump -n -X -i lo port 1 
> tcpdump: verbose output suppressed, use -v or -vv for full protocol decode 
> listening on lo, link-type EN10MB (Ethernet), capture size 65535 bytes 
> (...) 
> 10:25:16.329974 IP 192.168.32.102.54322 > 192.168.32.102.ndmp: Flags [P.], 
> seq 11:35, ack 1, win 512, options [nop,nop,TS val 2412851969 ecr 
> 2412851969], length 24 
> 0x: 4500 004c 3dd3 4000 4006 3abc c0a8 2066 E..L=.@.@.:f 
> 0x0010: c0a8 2066 d432 2710 714c 0edc b45c 9268 ...f.2'.qL...\.h 
> 0x0020: 8018 0200 c25b  0101 080a 8fd1 3301 .[3. 
> 0x0030: 8fd1 3301 0500  1300 7464 6172 616e ..3...tdaran 
> 0x0040: 7969 0063 6c65 6172 7465 7874 yi.cleartext 
> (...) 
> {code}
> We rely on the user supplied configuration to decide whether to open an SSL 
> socket or a Plain one. Instead we can negotiate this information from the HS2 
> and connect accordingly.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Commented] (HIVE-11555) Beeline sends password in clear text if we miss -ssl=true flag in the connect string

2015-08-17 Thread Thejas M Nair (JIRA)


[ 
https://issues.apache.org/jira/browse/HIVE-11555?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14700412#comment-14700412
 ] 

Thejas M Nair commented on HIVE-11555:
--

HIVE-11581 addresses this to an extent, but it is applicable only when 
zookeeper HA mode is enabled.


> Beeline sends password in clear text if we miss -ssl=true flag in the connect 
> string
> 
>
> Key: HIVE-11555
> URL: https://issues.apache.org/jira/browse/HIVE-11555
> Project: Hive
>  Issue Type: Bug
>  Components: Beeline
>Affects Versions: 1.2.0
>Reporter: bharath v
>
> {code}
> I used tcpdump to display the network traffic: 
> [root@fe01 ~]# beeline 
> Beeline version 0.13.1-cdh5.3.2 by Apache Hive 
> beeline> !connect jdbc:hive2://fe01.sectest.poc:1/default 
> Connecting to jdbc:hive2://fe01.sectest.poc:1/default 
> Enter username for jdbc:hive2://fe01.sectest.poc:1/default: tdaranyi 
> Enter password for jdbc:hive2://fe01.sectest.poc:1/default: * 
> (I entered "cleartext" as the password) 
> The tcpdump in a different window 
> tdara...@fe01.sectest.poc:~$ sudo tcpdump -n -X -i lo port 1 
> tcpdump: verbose output suppressed, use -v or -vv for full protocol decode 
> listening on lo, link-type EN10MB (Ethernet), capture size 65535 bytes 
> (...) 
> 10:25:16.329974 IP 192.168.32.102.54322 > 192.168.32.102.ndmp: Flags [P.], 
> seq 11:35, ack 1, win 512, options [nop,nop,TS val 2412851969 ecr 
> 2412851969], length 24 
> 0x: 4500 004c 3dd3 4000 4006 3abc c0a8 2066 E..L=.@.@.:f 
> 0x0010: c0a8 2066 d432 2710 714c 0edc b45c 9268 ...f.2'.qL...\.h 
> 0x0020: 8018 0200 c25b  0101 080a 8fd1 3301 .[3. 
> 0x0030: 8fd1 3301 0500  1300 7464 6172 616e ..3...tdaran 
> 0x0040: 7969 0063 6c65 6172 7465 7874 yi.cleartext 
> (...) 
> {code}
> We rely on the user supplied configuration to decide whether to open an SSL 
> socket or a Plain one. Instead we can negotiate this information from the HS2 
> and connect accordingly.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Commented] (HIVE-11555) Beeline sends password in clear text if we miss -ssl=true flag in the connect string

[jira] [Commented] (HIVE-11555) Beeline sends password in clear text if we miss -ssl=true flag in the connect string

[jira] [Commented] (HIVE-11555) Beeline sends password in clear text if we miss -ssl=true flag in the connect string

[jira] [Commented] (HIVE-11555) Beeline sends password in clear text if we miss -ssl=true flag in the connect string

4 matches

Site Navigation

Mail list logo

Footer information