Details
-
Wish
-
Status: Resolved
-
Major
-
Resolution: Invalid
-
None
-
None
Description
Codepath in focus is this
password = ProviderUtils.locatePassword(CREDENTIAL_PASSWORD_ENV_VAR, conf.get(CREDENTIAL_PASSWORD_FILE_KEY));
Since HIVE-14822, we can use custom keystore that Hiveserver2 propagates to jobs/tasks of different execution engines (mr, tez, spark).
We're able to pass any "jceks:" url, but not a password, e.g. on this codepath:
Caused by: java.security.UnrecoverableKeyException: Password verification failed at com.sun.crypto.provider.JceKeyStore.engineLoad(JceKeyStore.java:879) ~[sunjce_provider.jar:1.8.0_232] at java.security.KeyStore.load(KeyStore.java:1445) ~[?:1.8.0_232] at org.apache.hadoop.security.alias.AbstractJavaKeyStoreProvider.locateKeystore(AbstractJavaKeyStoreProvider.java:326) ~[hadoop-common-3.1.1.7.1.7.0-551.jar:?] at org.apache.hadoop.security.alias.AbstractJavaKeyStoreProvider.<init>(AbstractJavaKeyStoreProvider.java:86) ~[hadoop-common-3.1.1.7.1.7.0-551.jar:?] at org.apache.hadoop.security.alias.KeyStoreProvider.<init>(KeyStoreProvider.java:49) ~[hadoop-common-3.1.1.7.1.7.0-551.jar:?] at org.apache.hadoop.security.alias.JavaKeyStoreProvider.<init>(JavaKeyStoreProvider.java:42) ~[hadoop-common-3.1.1.7.1.7.0-551.jar:?] at org.apache.hadoop.security.alias.JavaKeyStoreProvider.<init>(JavaKeyStoreProvider.java:35) ~[hadoop-common-3.1.1.7.1.7.0-551.jar:?] at org.apache.hadoop.security.alias.JavaKeyStoreProvider$Factory.createProvider(JavaKeyStoreProvider.java:68) ~[hadoop-common-3.1.1.7.1.7.0-551.jar:?] at org.apache.hadoop.security.alias.CredentialProviderFactory.getProviders(CredentialProviderFactory.java:73) ~[hadoop-common-3.1.1.7.1.7.0-551.jar:?] at org.apache.hadoop.conf.Configuration.getPasswordFromCredentialProviders(Configuration.java:2409) ~[hadoop-common-3.1.1.7.1.7.0-551.jar:?] at org.apache.hadoop.conf.Configuration.getPassword(Configuration.java:2347) ~[hadoop-common-3.1.1.7.1.7.0-551.jar:?] at org.apache.hadoop.fs.azurebfs.AbfsConfiguration.getPasswordString(AbfsConfiguration.java:295) ~[hadoop-azure-3.1.1.7.1.7.0-551.jar:?] at org.apache.hadoop.fs.azurebfs.AbfsConfiguration.getTokenProvider(AbfsConfiguration.java:525) ~[hadoop-azure-3.1.1.7.1.7.0-551.jar:?]
Even there is a chance of reading a text file, it's not secure, we need to try reading a Configuration property first and if it's null, we can go to the environment variable.
Hacking the System.getenv() is only possible with reflection, doesn't look so good.
Attachments
Issue Links
- blocks
-
HIVE-25829 Tez exec mode support for credential provider for jobs
- Closed
- is related to
-
HIVE-14822 Add support for credential provider for jobs launched from Hiveserver2
- Resolved
- links to