[
https://issues.apache.org/jira/browse/HIVE-19746?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16939030#comment-16939030
]
Thejas Nair edited comment on HIVE-19746 at 9/26/19 11:32 PM:
--------------------------------------------------------------
The jceks file can be stored in local filesystem with only permissions for the
hive service user, to avoid this issue.
was (Author: thejas):
The jceks file can be stored in local filesystem, to avoid this issue.
> Hadoop credential provider allows to read passwords for every user
> ------------------------------------------------------------------
>
> Key: HIVE-19746
> URL: https://issues.apache.org/jira/browse/HIVE-19746
> Project: Hive
> Issue Type: Bug
> Components: Security
> Reporter: Oleksiy Sayankin
> Assignee: Oleksiy Sayankin
> Priority: Blocker
>
> This simple program allows to read any password from any {{jceks}} file:
> {code}
> package com.test.app;
> import java.util.List;
> import org.apache.hadoop.conf.Configuration;
> import org.apache.hadoop.security.alias.CredentialProvider;
> import org.apache.hadoop.security.alias.CredentialProviderFactory;
> import java.io.IOException;
> public class PasswordReader {
> public static void main(String[] args) throws IOException {
> if (args == null || args.length == 0){
> throw new IllegalArgumentException("Credential provider path is to
> set");
> }
> String credentialProviderPath = args[0];
> Configuration configuration = new Configuration();
> configuration.set(CredentialProviderFactory.CREDENTIAL_PROVIDER_PATH,
> credentialProviderPath);
> CredentialProvider credentialProvider =
> CredentialProviderFactory.getProviders(configuration).get(0);
> List<String> aliases = credentialProvider.getAliases();
> for(String alias : aliases){
> System.out.println(alias + " = " + new
> String(configuration.getPassword(alias)));
> }
> }
> }
> {code}
> {code}
> java -cp $(hadoop classpath):password-reader.jar com.test.app.PasswordReader
> jceks://hdfs/user/hive/hivemetastore.jceks
> {code}
> *RESULT*
> {code}
> javax.jdo.option.connectionpassword = 123456
> {code}
> File {{jceks://hdfs/user/hive/hivemetastore.jceks}} has {{\-rw\-r\-\-r\-\-}}
> permissions and {{hdfs:hdfs}} owner:group. We can't remove world readable
> permissions here, because Hive is configured for impersonation to allow users
> user than {{hdfs}} connect to HiveServer2. When removed world readable
> permissions and tried to connect as other user, I got the exception:
> {code}
> 2018-05-31T10:08:40,191 ERROR [pool-7-thread-41] fs.Inode: Marking failure
> for: /user/hive/hivemetastore.jceks, error: Input/output error
> 2018-05-31T10:08:40,192 ERROR [pool-7-thread-41] fs.Inode: Throwing exception
> for: /user/hive/hivemetastore.jceks, error: Input/output error
> 2018-05-31T10:08:40,192 ERROR [pool-7-thread-41]
> metastore.RetryingHMSHandler: java.lang.RuntimeException: Error getting
> metastore password: null
> at
> org.apache.hadoop.hive.metastore.ObjectStore.getDataSourceProps(ObjectStore.java:485)
> at
> org.apache.hadoop.hive.metastore.ObjectStore.setConf(ObjectStore.java:279)
> {code}
> Any ideas how to protect passwords (let's say restrict access to
> {{jceks://hdfs/user/hive/hivemetastore.jceks}} to {{600}}) and at the same
> time be available to connect to HS2 as not admin user?
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
