[jira] [Commented] (HIVE-21083) Remove the requirement to specify the truststore location when TLS to the database is turned on
[
https://issues.apache.org/jira/browse/HIVE-21083?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16754268#comment-16754268
]
Vihang Karajgaonkar commented on HIVE-21083:
Patch merged into master. Thanks for your contribution [~mramdenbourg]
> Remove the requirement to specify the truststore location when TLS to the
> database is turned on
> ---
>
> Key: HIVE-21083
> URL: https://issues.apache.org/jira/browse/HIVE-21083
> Project: Hive
> Issue Type: Improvement
> Components: Metastore, Standalone Metastore
>Affects Versions: 4.0.0
>Reporter: Morio Ramdenbourg
>Assignee: Morio Ramdenbourg
>Priority: Major
> Attachments: HIVE-21083.2.patch, HIVE-21083.4.patch, HIVE-21083.patch
>
>
> In the current implementation,
> [ObjectStore.configureSSL|https://github.com/apache/hive/blob/master/standalone-metastore/metastore-server/src/main/java/org/apache/hadoop/hive/metastore/ObjectStore.java#L349-L382]
> throws an exception if TLS to the database is turned on
> (_metastore.dbaccess.ssl.use.SSL_) but a truststore file location
> (_metastore.dbaccess.ssl.truststore.path_) is not specified.
> However, according to the [JSSE (Java 8)
> documentation|https://docs.oracle.com/javase/8/docs/technotes/guides/security/jsse/JSSERefGuide.html#InstallationAndCustomization],
> the Java truststore file location system property
> (_javax.net.ssl.trustStore_) defaults to using the "_jssecacerts_, if it
> exists. Otherwise, _cacerts_" files. These are the default truststores that
> come with the Java installation and contain a list of well-known certificate
> authorities.
> It was identified that one valid way of configuring TLS is by adding to these
> default files. In that case, no changes to the truststore properties are
> necessary. We should support this case by changing the following logic to
> remove the requirement for the truststore file location config property:
> {code:java}
> String trustStorePath = MetastoreConf.getVar(conf,
> ConfVars.DBACCESS_SSL_TRUSTSTORE_PATH).trim();
> if (trustStorePath.isEmpty()) {
> throw new IllegalArgumentException("SSL to the database store has
> been enabled but " +
> ConfVars.DBACCESS_SSL_TRUSTSTORE_PATH.toString() + " is empty. "
> + "Set this property to enable SSL.");
> }
> {code}
> We should also loosen the requirement on the truststore password if the user
> decides to use the Java defaults
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
[jira] [Commented] (HIVE-21083) Remove the requirement to specify the truststore location when TLS to the database is turned on
[
https://issues.apache.org/jira/browse/HIVE-21083?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16752783#comment-16752783
]
Hive QA commented on HIVE-21083:
Here are the results of testing the latest attachment:
https://issues.apache.org/jira/secure/attachment/12956390/HIVE-21083.4.patch
{color:green}SUCCESS:{color} +1 due to 1 test(s) being added or modified.
{color:green}SUCCESS:{color} +1 due to 15723 tests passed
Test results:
https://builds.apache.org/job/PreCommit-HIVE-Build/15797/testReport
Console output: https://builds.apache.org/job/PreCommit-HIVE-Build/15797/console
Test logs: http://104.198.109.242/logs/PreCommit-HIVE-Build-15797/
Messages:
{noformat}
Executing org.apache.hive.ptest.execution.TestCheckPhase
Executing org.apache.hive.ptest.execution.PrepPhase
Executing org.apache.hive.ptest.execution.YetusPhase
Executing org.apache.hive.ptest.execution.ExecutionPhase
Executing org.apache.hive.ptest.execution.ReportingPhase
{noformat}
This message is automatically generated.
ATTACHMENT ID: 12956390 - PreCommit-HIVE-Build
> Remove the requirement to specify the truststore location when TLS to the
> database is turned on
> ---
>
> Key: HIVE-21083
> URL: https://issues.apache.org/jira/browse/HIVE-21083
> Project: Hive
> Issue Type: Improvement
> Components: Metastore, Standalone Metastore
>Affects Versions: 4.0.0
>Reporter: Morio Ramdenbourg
>Assignee: Morio Ramdenbourg
>Priority: Major
> Attachments: HIVE-21083.2.patch, HIVE-21083.4.patch, HIVE-21083.patch
>
>
> In the current implementation,
> [ObjectStore.configureSSL|https://github.com/apache/hive/blob/master/standalone-metastore/metastore-server/src/main/java/org/apache/hadoop/hive/metastore/ObjectStore.java#L349-L382]
> throws an exception if TLS to the database is turned on
> (_metastore.dbaccess.ssl.use.SSL_) but a truststore file location
> (_metastore.dbaccess.ssl.truststore.path_) is not specified.
> However, according to the [JSSE (Java 8)
> documentation|https://docs.oracle.com/javase/8/docs/technotes/guides/security/jsse/JSSERefGuide.html#InstallationAndCustomization],
> the Java truststore file location system property
> (_javax.net.ssl.trustStore_) defaults to using the "_jssecacerts_, if it
> exists. Otherwise, _cacerts_" files. These are the default truststores that
> come with the Java installation and contain a list of well-known certificate
> authorities.
> It was identified that one valid way of configuring TLS is by adding to these
> default files. In that case, no changes to the truststore properties are
> necessary. We should support this case by changing the following logic to
> remove the requirement for the truststore file location config property:
> {code:java}
> String trustStorePath = MetastoreConf.getVar(conf,
> ConfVars.DBACCESS_SSL_TRUSTSTORE_PATH).trim();
> if (trustStorePath.isEmpty()) {
> throw new IllegalArgumentException("SSL to the database store has
> been enabled but " +
> ConfVars.DBACCESS_SSL_TRUSTSTORE_PATH.toString() + " is empty. "
> + "Set this property to enable SSL.");
> }
> {code}
> We should also loosen the requirement on the truststore password if the user
> decides to use the Java defaults
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
[jira] [Commented] (HIVE-21083) Remove the requirement to specify the truststore location when TLS to the database is turned on
[
https://issues.apache.org/jira/browse/HIVE-21083?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16752741#comment-16752741
]
Hive QA commented on HIVE-21083:
| (/) *{color:green}+1 overall{color}* |
\\
\\
|| Vote || Subsystem || Runtime || Comment ||
|| || || || {color:brown} Prechecks {color} ||
| {color:green}+1{color} | {color:green} @author {color} | {color:green} 0m
0s{color} | {color:green} The patch does not contain any @author tags. {color} |
|| || || || {color:brown} master Compile Tests {color} ||
| {color:blue}0{color} | {color:blue} mvndep {color} | {color:blue} 0m
25s{color} | {color:blue} Maven dependency ordering for branch {color} |
| {color:green}+1{color} | {color:green} mvninstall {color} | {color:green} 7m
14s{color} | {color:green} master passed {color} |
| {color:green}+1{color} | {color:green} compile {color} | {color:green} 0m
51s{color} | {color:green} master passed {color} |
| {color:green}+1{color} | {color:green} checkstyle {color} | {color:green} 0m
13s{color} | {color:green} master passed {color} |
| {color:blue}0{color} | {color:blue} findbugs {color} | {color:blue} 2m
14s{color} | {color:blue} standalone-metastore/metastore-common in master has
29 extant Findbugs warnings. {color} |
| {color:blue}0{color} | {color:blue} findbugs {color} | {color:blue} 1m
1s{color} | {color:blue} standalone-metastore/metastore-server in master has
184 extant Findbugs warnings. {color} |
| {color:green}+1{color} | {color:green} javadoc {color} | {color:green} 1m
9s{color} | {color:green} master passed {color} |
|| || || || {color:brown} Patch Compile Tests {color} ||
| {color:blue}0{color} | {color:blue} mvndep {color} | {color:blue} 0m
8s{color} | {color:blue} Maven dependency ordering for patch {color} |
| {color:green}+1{color} | {color:green} mvninstall {color} | {color:green} 0m
59s{color} | {color:green} the patch passed {color} |
| {color:green}+1{color} | {color:green} compile {color} | {color:green} 0m
53s{color} | {color:green} the patch passed {color} |
| {color:green}+1{color} | {color:green} javac {color} | {color:green} 0m
53s{color} | {color:green} the patch passed {color} |
| {color:green}+1{color} | {color:green} checkstyle {color} | {color:green} 0m
13s{color} | {color:green} the patch passed {color} |
| {color:green}+1{color} | {color:green} whitespace {color} | {color:green} 0m
0s{color} | {color:green} The patch has no whitespace issues. {color} |
| {color:green}+1{color} | {color:green} findbugs {color} | {color:green} 3m
29s{color} | {color:green} the patch passed {color} |
| {color:green}+1{color} | {color:green} javadoc {color} | {color:green} 1m
7s{color} | {color:green} the patch passed {color} |
|| || || || {color:brown} Other Tests {color} ||
| {color:green}+1{color} | {color:green} asflicense {color} | {color:green} 0m
12s{color} | {color:green} The patch does not generate ASF License warnings.
{color} |
| {color:black}{color} | {color:black} {color} | {color:black} 20m 41s{color} |
{color:black} {color} |
\\
\\
|| Subsystem || Report/Notes ||
| Optional Tests | asflicense javac javadoc findbugs checkstyle compile |
| uname | Linux hiveptest-server-upstream 3.16.0-4-amd64 #1 SMP Debian
3.16.36-1+deb8u1 (2016-09-03) x86_64 GNU/Linux |
| Build tool | maven |
| Personality |
/data/hiveptest/working/yetus_PreCommit-HIVE-Build-15797/dev-support/hive-personality.sh
|
| git revision | master / 6d4b19b |
| Default Java | 1.8.0_111 |
| findbugs | v3.0.0 |
| modules | C: standalone-metastore/metastore-common
standalone-metastore/metastore-server U: standalone-metastore |
| Console output |
http://104.198.109.242/logs//PreCommit-HIVE-Build-15797/yetus.txt |
| Powered by | Apache Yetushttp://yetus.apache.org |
This message was automatically generated.
> Remove the requirement to specify the truststore location when TLS to the
> database is turned on
> ---
>
> Key: HIVE-21083
> URL: https://issues.apache.org/jira/browse/HIVE-21083
> Project: Hive
> Issue Type: Improvement
> Components: Metastore, Standalone Metastore
>Affects Versions: 4.0.0
>Reporter: Morio Ramdenbourg
>Assignee: Morio Ramdenbourg
>Priority: Major
> Attachments: HIVE-21083.2.patch, HIVE-21083.4.patch, HIVE-21083.patch
>
>
> In the current implementation,
> [ObjectStore.configureSSL|https://github.com/apache/hive/blob/master/standalone-metastore/metastore-server/src/main/java/org/apache/hadoop/hive/metastore/ObjectStore.java#L349-L382]
> throws an exception if TLS to the database is turned on
> (_metastore.dbaccess.ssl.use.SSL_) but a truststore file location
> (_metastore.dbaccess.ssl.truststore.path_) is not specified.
> However, according to the [JSSE (Java 8)
>
[jira] [Commented] (HIVE-21083) Remove the requirement to specify the truststore location when TLS to the database is turned on
[
https://issues.apache.org/jira/browse/HIVE-21083?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16752608#comment-16752608
]
Vihang Karajgaonkar commented on HIVE-21083:
+1 Left a few nits on RB related to documentation. Looks good to me otherwise.
> Remove the requirement to specify the truststore location when TLS to the
> database is turned on
> ---
>
> Key: HIVE-21083
> URL: https://issues.apache.org/jira/browse/HIVE-21083
> Project: Hive
> Issue Type: Improvement
> Components: Metastore, Standalone Metastore
>Affects Versions: 4.0.0
>Reporter: Morio Ramdenbourg
>Assignee: Morio Ramdenbourg
>Priority: Major
> Attachments: HIVE-21083.2.patch, HIVE-21083.patch
>
>
> In the current implementation,
> [ObjectStore.configureSSL|https://github.com/apache/hive/blob/master/standalone-metastore/metastore-server/src/main/java/org/apache/hadoop/hive/metastore/ObjectStore.java#L349-L382]
> throws an exception if TLS to the database is turned on
> (_metastore.dbaccess.ssl.use.SSL_) but a truststore file location
> (_metastore.dbaccess.ssl.truststore.path_) is not specified.
> However, according to the [JSSE (Java 8)
> documentation|https://docs.oracle.com/javase/8/docs/technotes/guides/security/jsse/JSSERefGuide.html#InstallationAndCustomization],
> the Java truststore file location system property
> (_javax.net.ssl.trustStore_) defaults to using the "_jssecacerts_, if it
> exists. Otherwise, _cacerts_" files. These are the default truststores that
> come with the Java installation and contain a list of well-known certificate
> authorities.
> It was identified that one valid way of configuring TLS is by adding to these
> default files. In that case, no changes to the truststore properties are
> necessary. We should support this case by changing the following logic to
> remove the requirement for the truststore file location config property:
> {code:java}
> String trustStorePath = MetastoreConf.getVar(conf,
> ConfVars.DBACCESS_SSL_TRUSTSTORE_PATH).trim();
> if (trustStorePath.isEmpty()) {
> throw new IllegalArgumentException("SSL to the database store has
> been enabled but " +
> ConfVars.DBACCESS_SSL_TRUSTSTORE_PATH.toString() + " is empty. "
> + "Set this property to enable SSL.");
> }
> {code}
> We should also loosen the requirement on the truststore password if the user
> decides to use the Java defaults
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
[jira] [Commented] (HIVE-21083) Remove the requirement to specify the truststore location when TLS to the database is turned on
[
https://issues.apache.org/jira/browse/HIVE-21083?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16751920#comment-16751920
]
Hive QA commented on HIVE-21083:
Here are the results of testing the latest attachment:
https://issues.apache.org/jira/secure/attachment/12956251/HIVE-21083.2.patch
{color:green}SUCCESS:{color} +1 due to 1 test(s) being added or modified.
{color:green}SUCCESS:{color} +1 due to 15708 tests passed
Test results:
https://builds.apache.org/job/PreCommit-HIVE-Build/15790/testReport
Console output: https://builds.apache.org/job/PreCommit-HIVE-Build/15790/console
Test logs: http://104.198.109.242/logs/PreCommit-HIVE-Build-15790/
Messages:
{noformat}
Executing org.apache.hive.ptest.execution.TestCheckPhase
Executing org.apache.hive.ptest.execution.PrepPhase
Executing org.apache.hive.ptest.execution.YetusPhase
Executing org.apache.hive.ptest.execution.ExecutionPhase
Executing org.apache.hive.ptest.execution.ReportingPhase
{noformat}
This message is automatically generated.
ATTACHMENT ID: 12956251 - PreCommit-HIVE-Build
> Remove the requirement to specify the truststore location when TLS to the
> database is turned on
> ---
>
> Key: HIVE-21083
> URL: https://issues.apache.org/jira/browse/HIVE-21083
> Project: Hive
> Issue Type: Improvement
> Components: Metastore, Standalone Metastore
>Affects Versions: 4.0.0
>Reporter: Morio Ramdenbourg
>Assignee: Morio Ramdenbourg
>Priority: Major
> Attachments: HIVE-21083.2.patch, HIVE-21083.patch
>
>
> In the current implementation,
> [ObjectStore.configureSSL|https://github.com/apache/hive/blob/master/standalone-metastore/metastore-server/src/main/java/org/apache/hadoop/hive/metastore/ObjectStore.java#L349-L382]
> throws an exception if TLS to the database is turned on
> (_metastore.dbaccess.ssl.use.SSL_) but a truststore file location
> (_metastore.dbaccess.ssl.truststore.path_) is not specified.
> However, according to the [JSSE (Java 8)
> documentation|https://docs.oracle.com/javase/8/docs/technotes/guides/security/jsse/JSSERefGuide.html#InstallationAndCustomization],
> the Java truststore file location system property
> (_javax.net.ssl.trustStore_) defaults to using the "_jssecacerts_, if it
> exists. Otherwise, _cacerts_" files. These are the default truststores that
> come with the Java installation and contain a list of well-known certificate
> authorities.
> It was identified that one valid way of configuring TLS is by adding to these
> default files. In that case, no changes to the truststore properties are
> necessary. We should support this case by changing the following logic to
> remove the requirement for the truststore file location config property:
> {code:java}
> String trustStorePath = MetastoreConf.getVar(conf,
> ConfVars.DBACCESS_SSL_TRUSTSTORE_PATH).trim();
> if (trustStorePath.isEmpty()) {
> throw new IllegalArgumentException("SSL to the database store has
> been enabled but " +
> ConfVars.DBACCESS_SSL_TRUSTSTORE_PATH.toString() + " is empty. "
> + "Set this property to enable SSL.");
> }
> {code}
> We should also loosen the requirement on the truststore password if the user
> decides to use the Java defaults
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
[jira] [Commented] (HIVE-21083) Remove the requirement to specify the truststore location when TLS to the database is turned on
[
https://issues.apache.org/jira/browse/HIVE-21083?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16751902#comment-16751902
]
Hive QA commented on HIVE-21083:
| (/) *{color:green}+1 overall{color}* |
\\
\\
|| Vote || Subsystem || Runtime || Comment ||
|| || || || {color:brown} Prechecks {color} ||
| {color:green}+1{color} | {color:green} @author {color} | {color:green} 0m
0s{color} | {color:green} The patch does not contain any @author tags. {color} |
|| || || || {color:brown} master Compile Tests {color} ||
| {color:blue}0{color} | {color:blue} mvndep {color} | {color:blue} 0m
33s{color} | {color:blue} Maven dependency ordering for branch {color} |
| {color:green}+1{color} | {color:green} mvninstall {color} | {color:green} 7m
7s{color} | {color:green} master passed {color} |
| {color:green}+1{color} | {color:green} compile {color} | {color:green} 0m
53s{color} | {color:green} master passed {color} |
| {color:green}+1{color} | {color:green} checkstyle {color} | {color:green} 0m
13s{color} | {color:green} master passed {color} |
| {color:blue}0{color} | {color:blue} findbugs {color} | {color:blue} 2m
14s{color} | {color:blue} standalone-metastore/metastore-common in master has
29 extant Findbugs warnings. {color} |
| {color:blue}0{color} | {color:blue} findbugs {color} | {color:blue} 1m
5s{color} | {color:blue} standalone-metastore/metastore-server in master has
184 extant Findbugs warnings. {color} |
| {color:green}+1{color} | {color:green} javadoc {color} | {color:green} 1m
9s{color} | {color:green} master passed {color} |
|| || || || {color:brown} Patch Compile Tests {color} ||
| {color:blue}0{color} | {color:blue} mvndep {color} | {color:blue} 0m
8s{color} | {color:blue} Maven dependency ordering for patch {color} |
| {color:green}+1{color} | {color:green} mvninstall {color} | {color:green} 0m
57s{color} | {color:green} the patch passed {color} |
| {color:green}+1{color} | {color:green} compile {color} | {color:green} 0m
52s{color} | {color:green} the patch passed {color} |
| {color:green}+1{color} | {color:green} javac {color} | {color:green} 0m
52s{color} | {color:green} the patch passed {color} |
| {color:green}+1{color} | {color:green} checkstyle {color} | {color:green} 0m
13s{color} | {color:green} the patch passed {color} |
| {color:green}+1{color} | {color:green} whitespace {color} | {color:green} 0m
0s{color} | {color:green} The patch has no whitespace issues. {color} |
| {color:green}+1{color} | {color:green} findbugs {color} | {color:green} 3m
33s{color} | {color:green} the patch passed {color} |
| {color:green}+1{color} | {color:green} javadoc {color} | {color:green} 1m
9s{color} | {color:green} the patch passed {color} |
|| || || || {color:brown} Other Tests {color} ||
| {color:green}+1{color} | {color:green} asflicense {color} | {color:green} 0m
12s{color} | {color:green} The patch does not generate ASF License warnings.
{color} |
| {color:black}{color} | {color:black} {color} | {color:black} 20m 57s{color} |
{color:black} {color} |
\\
\\
|| Subsystem || Report/Notes ||
| Optional Tests | asflicense javac javadoc findbugs checkstyle compile |
| uname | Linux hiveptest-server-upstream 3.16.0-4-amd64 #1 SMP Debian
3.16.36-1+deb8u1 (2016-09-03) x86_64 GNU/Linux |
| Build tool | maven |
| Personality |
/data/hiveptest/working/yetus_PreCommit-HIVE-Build-15790/dev-support/hive-personality.sh
|
| git revision | master / 1327d47 |
| Default Java | 1.8.0_111 |
| findbugs | v3.0.0 |
| modules | C: standalone-metastore/metastore-common
standalone-metastore/metastore-server U: standalone-metastore |
| Console output |
http://104.198.109.242/logs//PreCommit-HIVE-Build-15790/yetus.txt |
| Powered by | Apache Yetushttp://yetus.apache.org |
This message was automatically generated.
> Remove the requirement to specify the truststore location when TLS to the
> database is turned on
> ---
>
> Key: HIVE-21083
> URL: https://issues.apache.org/jira/browse/HIVE-21083
> Project: Hive
> Issue Type: Improvement
> Components: Metastore, Standalone Metastore
>Affects Versions: 4.0.0
>Reporter: Morio Ramdenbourg
>Assignee: Morio Ramdenbourg
>Priority: Major
> Attachments: HIVE-21083.2.patch, HIVE-21083.patch
>
>
> In the current implementation,
> [ObjectStore.configureSSL|https://github.com/apache/hive/blob/master/standalone-metastore/metastore-server/src/main/java/org/apache/hadoop/hive/metastore/ObjectStore.java#L349-L382]
> throws an exception if TLS to the database is turned on
> (_metastore.dbaccess.ssl.use.SSL_) but a truststore file location
> (_metastore.dbaccess.ssl.truststore.path_) is not specified.
> However, according to the [JSSE (Java 8)
>
[jira] [Commented] (HIVE-21083) Remove the requirement to specify the truststore location when TLS to the database is turned on
[
https://issues.apache.org/jira/browse/HIVE-21083?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16751814#comment-16751814
]
Hive QA commented on HIVE-21083:
Here are the results of testing the latest attachment:
https://issues.apache.org/jira/secure/attachment/12956215/HIVE-21083.patch
{color:green}SUCCESS:{color} +1 due to 1 test(s) being added or modified.
{color:red}ERROR:{color} -1 due to 1 failed/errored test(s), 15708 tests
executed
*Failed tests:*
{noformat}
org.apache.hive.jdbc.TestSSL.testMetastoreWithSSL (batchId=260)
{noformat}
Test results:
https://builds.apache.org/job/PreCommit-HIVE-Build/15787/testReport
Console output: https://builds.apache.org/job/PreCommit-HIVE-Build/15787/console
Test logs: http://104.198.109.242/logs/PreCommit-HIVE-Build-15787/
Messages:
{noformat}
Executing org.apache.hive.ptest.execution.TestCheckPhase
Executing org.apache.hive.ptest.execution.PrepPhase
Executing org.apache.hive.ptest.execution.YetusPhase
Executing org.apache.hive.ptest.execution.ExecutionPhase
Executing org.apache.hive.ptest.execution.ReportingPhase
Tests exited with: TestsFailedException: 1 tests failed
{noformat}
This message is automatically generated.
ATTACHMENT ID: 12956215 - PreCommit-HIVE-Build
> Remove the requirement to specify the truststore location when TLS to the
> database is turned on
> ---
>
> Key: HIVE-21083
> URL: https://issues.apache.org/jira/browse/HIVE-21083
> Project: Hive
> Issue Type: Improvement
> Components: Metastore, Standalone Metastore
>Affects Versions: 4.0.0
>Reporter: Morio Ramdenbourg
>Assignee: Morio Ramdenbourg
>Priority: Major
> Attachments: HIVE-21083.2.patch, HIVE-21083.patch
>
>
> In the current implementation,
> [ObjectStore.configureSSL|https://github.com/apache/hive/blob/master/standalone-metastore/metastore-server/src/main/java/org/apache/hadoop/hive/metastore/ObjectStore.java#L349-L382]
> throws an exception if TLS to the database is turned on
> (_metastore.dbaccess.ssl.use.SSL_) but a truststore file location
> (_metastore.dbaccess.ssl.truststore.path_) is not specified.
> However, according to the [JSSE (Java 8)
> documentation|https://docs.oracle.com/javase/8/docs/technotes/guides/security/jsse/JSSERefGuide.html#InstallationAndCustomization],
> the Java truststore file location system property
> (_javax.net.ssl.trustStore_) defaults to using the "_jssecacerts_, if it
> exists. Otherwise, _cacerts_" files. These are the default truststores that
> come with the Java installation and contain a list of well-known certificate
> authorities.
> It was identified that one valid way of configuring TLS is by adding to these
> default files. In that case, no changes to the truststore properties are
> necessary. We should support this case by changing the following logic to
> remove the requirement for the truststore file location config property:
> {code:java}
> String trustStorePath = MetastoreConf.getVar(conf,
> ConfVars.DBACCESS_SSL_TRUSTSTORE_PATH).trim();
> if (trustStorePath.isEmpty()) {
> throw new IllegalArgumentException("SSL to the database store has
> been enabled but " +
> ConfVars.DBACCESS_SSL_TRUSTSTORE_PATH.toString() + " is empty. "
> + "Set this property to enable SSL.");
> }
> {code}
> We should also loosen the requirement on the truststore password if the user
> decides to use the Java defaults
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
[jira] [Commented] (HIVE-21083) Remove the requirement to specify the truststore location when TLS to the database is turned on
[
https://issues.apache.org/jira/browse/HIVE-21083?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16751782#comment-16751782
]
Hive QA commented on HIVE-21083:
| (/) *{color:green}+1 overall{color}* |
\\
\\
|| Vote || Subsystem || Runtime || Comment ||
|| || || || {color:brown} Prechecks {color} ||
| {color:green}+1{color} | {color:green} @author {color} | {color:green} 0m
0s{color} | {color:green} The patch does not contain any @author tags. {color} |
|| || || || {color:brown} master Compile Tests {color} ||
| {color:blue}0{color} | {color:blue} mvndep {color} | {color:blue} 0m
37s{color} | {color:blue} Maven dependency ordering for branch {color} |
| {color:green}+1{color} | {color:green} mvninstall {color} | {color:green} 7m
4s{color} | {color:green} master passed {color} |
| {color:green}+1{color} | {color:green} compile {color} | {color:green} 0m
50s{color} | {color:green} master passed {color} |
| {color:green}+1{color} | {color:green} checkstyle {color} | {color:green} 0m
12s{color} | {color:green} master passed {color} |
| {color:blue}0{color} | {color:blue} findbugs {color} | {color:blue} 2m
12s{color} | {color:blue} standalone-metastore/metastore-common in master has
29 extant Findbugs warnings. {color} |
| {color:blue}0{color} | {color:blue} findbugs {color} | {color:blue} 1m
5s{color} | {color:blue} standalone-metastore/metastore-server in master has
184 extant Findbugs warnings. {color} |
| {color:green}+1{color} | {color:green} javadoc {color} | {color:green} 1m
10s{color} | {color:green} master passed {color} |
|| || || || {color:brown} Patch Compile Tests {color} ||
| {color:blue}0{color} | {color:blue} mvndep {color} | {color:blue} 0m
7s{color} | {color:blue} Maven dependency ordering for patch {color} |
| {color:green}+1{color} | {color:green} mvninstall {color} | {color:green} 0m
57s{color} | {color:green} the patch passed {color} |
| {color:green}+1{color} | {color:green} compile {color} | {color:green} 0m
52s{color} | {color:green} the patch passed {color} |
| {color:green}+1{color} | {color:green} javac {color} | {color:green} 0m
52s{color} | {color:green} the patch passed {color} |
| {color:green}+1{color} | {color:green} checkstyle {color} | {color:green} 0m
12s{color} | {color:green} the patch passed {color} |
| {color:green}+1{color} | {color:green} whitespace {color} | {color:green} 0m
0s{color} | {color:green} The patch has no whitespace issues. {color} |
| {color:green}+1{color} | {color:green} findbugs {color} | {color:green} 3m
29s{color} | {color:green} the patch passed {color} |
| {color:green}+1{color} | {color:green} javadoc {color} | {color:green} 1m
4s{color} | {color:green} the patch passed {color} |
|| || || || {color:brown} Other Tests {color} ||
| {color:green}+1{color} | {color:green} asflicense {color} | {color:green} 0m
12s{color} | {color:green} The patch does not generate ASF License warnings.
{color} |
| {color:black}{color} | {color:black} {color} | {color:black} 20m 40s{color} |
{color:black} {color} |
\\
\\
|| Subsystem || Report/Notes ||
| Optional Tests | asflicense javac javadoc findbugs checkstyle compile |
| uname | Linux hiveptest-server-upstream 3.16.0-4-amd64 #1 SMP Debian
3.16.36-1+deb8u1 (2016-09-03) x86_64 GNU/Linux |
| Build tool | maven |
| Personality |
/data/hiveptest/working/yetus_PreCommit-HIVE-Build-15787/dev-support/hive-personality.sh
|
| git revision | master / 1327d47 |
| Default Java | 1.8.0_111 |
| findbugs | v3.0.0 |
| modules | C: standalone-metastore/metastore-common
standalone-metastore/metastore-server U: standalone-metastore |
| Console output |
http://104.198.109.242/logs//PreCommit-HIVE-Build-15787/yetus.txt |
| Powered by | Apache Yetushttp://yetus.apache.org |
This message was automatically generated.
> Remove the requirement to specify the truststore location when TLS to the
> database is turned on
> ---
>
> Key: HIVE-21083
> URL: https://issues.apache.org/jira/browse/HIVE-21083
> Project: Hive
> Issue Type: Improvement
> Components: Metastore, Standalone Metastore
>Affects Versions: 4.0.0
>Reporter: Morio Ramdenbourg
>Assignee: Morio Ramdenbourg
>Priority: Major
> Attachments: HIVE-21083.patch
>
>
> In the current implementation,
> [ObjectStore.configureSSL|https://github.com/apache/hive/blob/master/standalone-metastore/metastore-server/src/main/java/org/apache/hadoop/hive/metastore/ObjectStore.java#L349-L382]
> throws an exception if TLS to the database is turned on
> (_metastore.dbaccess.ssl.use.SSL_) but a truststore file location
> (_metastore.dbaccess.ssl.truststore.path_) is not specified.
> However, according to the [JSSE (Java 8)
>
