[HIVE-20992] Split the config "hive.metastore.dbaccess.ssl.properties" into more meaningful configs - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Improvement
Status: Closed
Priority: Minor
Resolution: Fixed
Affects Version/s: 4.0.0
Fix Version/s: 4.0.0-alpha-1
Component/s: Metastore, Security, Standalone Metastore
Labels:
None

Target Version/s:

4.0.0

Description

~~HIVE-13044~~ brought in the ability to enable TLS encryption from the HMS Service to the HMSDB by configuring the following two properties:

javax.jdo.option.ConnectionURL: JDBC connect string for a JDBC metastore. To use SSL to encrypt/authenticate the connection, provide database-specific SSL flag in the connection URL. (E.g. "jdbc:postgresql://myhost/db?ssl=true")
hive.metastore.dbaccess.ssl.properties: Comma-separated SSL properties for metastore to access database when JDO connection URL. (E.g. javax.net.ssl.trustStore=/tmp/truststore,javax.net.ssl.trustStorePassword=pwd)

However, the latter configuration option is opaque and poses some problems. The most glaring of which is it takes in any java.lang.System system property, whether it is TLS-related or not. This can cause some unintended side-effects for other components of the HMS, especially if it overrides an already-set system property. If the user truly wishes to add an unrelated Java property, setting it statically using the "-D" option of the java command is more appropriate. Secondly, the truststore password is stored in plain text. We should add Hadoop Shims back to the HMS to prevent exposing these passwords, but this effort can be done after this ticket.

I propose we deprecate hive.metastore.dbaccess.ssl.properties, and add the following properties:

hive.metastore.dbaccess.ssl.use.SSL (metastore.dbaccess.ssl.use.SSL)
- Set this to true to for using SSL/TLS encryption from the HMS Service to the HMS backend store
- Default: false
hive.metastore.dbaccess.ssl.truststore.path (metastore.dbaccess.ssl.truststore.path)

- Truststore location
- Directly maps to javax.net.ssl.trustStore System property
- Default: None
- E.g. /tmp/truststore

hive.metastore.dbaccess.ssl.truststore.password (metastore.dbaccess.ssl.truststore.password)

- Truststore password
- Directly maps to javax.net.ssl.trustStorePassword System property
- Default: None
- E.g. password

hive.metastore.dbaccess.ssl.truststore.type (metastore.dbaccess.ssl.truststore.type)

- Truststore type
- Directly maps to javax.net.ssl.trustStoreType System property
- Default: JKS
- E.g. pkcs12

We should guide the user towards an easier TLS configuration experience. This is the minimum configuration necessary to configure TLS to the HMSDB. If we need other options, such as the keystore location/password for dual-authentication, then we can add those on afterwards.

Also, document these changes - javax.jdo.option.ConnectionURL does not have up-to-date documentation, and these new parameters will need documentation as well.

Note "TLS" refers to both SSL and TLS. TLS is simply the successor of SSL.

Attachments

- Sort By Name
- Sort By Date
- Ascending
- Descending

HIVE-20992.patch
08/Dec/18 06:31
11 kB
Morio Ramdenbourg
HIVE-20992.2.patch
10/Dec/18 20:53
13 kB
Morio Ramdenbourg
HIVE-20992.3.patch
10/Dec/18 20:54
13 kB
Morio Ramdenbourg
HIVE-20992.4.patch
14/Dec/18 01:22
14 kB
Morio Ramdenbourg
HIVE-20992.5.patch
14/Dec/18 07:39
14 kB
Morio Ramdenbourg
HIVE-20992.6.patch
16/Dec/18 03:14
15 kB
Morio Ramdenbourg
HIVE-20992.7.patch
17/Dec/18 21:18
15 kB
Morio Ramdenbourg

Issue Links

is caused by

HIVE-13044 Enable TLS encryption to HMS backend database

Closed

links to

ReviewBoard

Activity

People

Assignee:: Morio Ramdenbourg

Reporter:: Morio Ramdenbourg

Votes:: 0 Vote for this issue

Watchers:: 4 Start watching this issue

Dates

Created:: 30/Nov/18 22:48

Updated:: 17/Nov/22 08:54

Resolved:: 17/Dec/18 22:01