Return-Path: X-Original-To: archive-asf-public-internal@cust-asf2.ponee.io Delivered-To: archive-asf-public-internal@cust-asf2.ponee.io Received: from cust-asf.ponee.io (cust-asf.ponee.io [163.172.22.183]) by cust-asf2.ponee.io (Postfix) with ESMTP id A5E94200BC4 for ; Sat, 15 Oct 2016 00:12:22 +0200 (CEST) Received: by cust-asf.ponee.io (Postfix) id A485D160ADD; Fri, 14 Oct 2016 22:12:22 +0000 (UTC) Delivered-To: archive-asf-public@cust-asf.ponee.io Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by cust-asf.ponee.io (Postfix) with SMTP id F3C9F160AE3 for ; Sat, 15 Oct 2016 00:12:21 +0200 (CEST) Received: (qmail 14066 invoked by uid 500); 14 Oct 2016 22:12:21 -0000 Mailing-List: contact issues-help@hive.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@hive.apache.org Delivered-To: mailing list issues@hive.apache.org Received: (qmail 13938 invoked by uid 99); 14 Oct 2016 22:12:21 -0000 Received: from arcas.apache.org (HELO arcas) (140.211.11.28) by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 14 Oct 2016 22:12:21 +0000 Received: from arcas.apache.org (localhost [127.0.0.1]) by arcas (Postfix) with ESMTP id CCE9E2C4C7E for ; Fri, 14 Oct 2016 22:12:20 +0000 (UTC) Date: Fri, 14 Oct 2016 22:12:20 +0000 (UTC) From: "Hive QA (JIRA)" To: issues@hive.apache.org Message-ID: In-Reply-To: References: Subject: [jira] [Commented] (HIVE-14822) Add support for credential provider for jobs launched from Hiveserver2 MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit X-JIRA-FingerPrint: 30527f35849b9dde25b450d4833f0394 archived-at: Fri, 14 Oct 2016 22:12:22 -0000 [ https://issues.apache.org/jira/browse/HIVE-14822?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15576668#comment-15576668 ] Hive QA commented on HIVE-14822: -------------------------------- Here are the results of testing the latest attachment: https://issues.apache.org/jira/secure/attachment/12833430/HIVE-14822.07.patch {color:green}SUCCESS:{color} +1 due to 1 test(s) being added or modified. {color:red}ERROR:{color} -1 due to 7 failed/errored test(s), 10573 tests executed *Failed tests:* {noformat} org.apache.hadoop.hive.cli.TestCliDriver.testCliDriver[acid_globallimit] org.apache.hadoop.hive.cli.TestCliDriver.testCliDriver[order_null] org.apache.hadoop.hive.cli.TestCliDriver.testCliDriver[union_fast_stats] org.apache.hive.beeline.TestBeelineArgParsing.testAddLocalJarWithoutAddDriverClazz[0] org.apache.hive.beeline.TestBeelineArgParsing.testAddLocalJar[0] org.apache.hive.beeline.TestBeelineArgParsing.testAddLocalJar[1] org.apache.hive.jdbc.authorization.TestJdbcWithSQLAuthorization.testBlackListedUdfUsage {noformat} Test results: https://builds.apache.org/job/PreCommit-HIVE-Build/1570/testReport Console output: https://builds.apache.org/job/PreCommit-HIVE-Build/1570/console Test logs: http://104.198.109.242/logs/PreCommit-HIVE-Build-1570/ Messages: {noformat} Executing org.apache.hive.ptest.execution.TestCheckPhase Executing org.apache.hive.ptest.execution.PrepPhase Executing org.apache.hive.ptest.execution.ExecutionPhase Executing org.apache.hive.ptest.execution.ReportingPhase Tests exited with: TestsFailedException: 7 tests failed {noformat} This message is automatically generated. ATTACHMENT ID: 12833430 - PreCommit-HIVE-Build > Add support for credential provider for jobs launched from Hiveserver2 > ---------------------------------------------------------------------- > > Key: HIVE-14822 > URL: https://issues.apache.org/jira/browse/HIVE-14822 > Project: Hive > Issue Type: Bug > Components: HiveServer2 > Reporter: Vihang Karajgaonkar > Assignee: Vihang Karajgaonkar > Attachments: HIVE-14822.01.patch, HIVE-14822.02.patch, HIVE-14822.03.patch, HIVE-14822.05.patch, HIVE-14822.06.patch, HIVE-14822.07.patch > > > When using encrypted passwords via the Hadoop Credential Provider, HiveServer2 currently does not correctly forward enough information to the job configuration for jobs to read those secrets. If your job needs to access any secrets, like S3 credentials, then there's no convenient and secure way to configure this today. > You could specify the decryption key in files like mapred-site.xml that HiveServer2 uses, but this would place the encryption password on local disk in plaintext, which can be a security concern. > To solve this problem, HiveServer2 should modify job configuration to include the environment variable settings needed to decrypt the passwords. Specifically, it will need to modify: > * For MR2 jobs: > ** yarn.app.mapreduce.am.admin.user.env > ** mapreduce.admin.user.env > * For Spark jobs: > ** spark.yarn.appMasterEnv.HADOOP_CREDSTORE_PASSWORD > ** spark.executorEnv.HADOOP_CREDSTORE_PASSWORD > HiveServer2 can get the decryption password from its own environment, the same way it does for its own credential provider store today. > Additionally, it can be desirable for HiveServer2 to have a separate encrypted password file than what is used by the job. HiveServer2 may have secrets that the job should not have, such as the metastore database password or the password to decrypt its private SSL certificate. It is also best practices to have separate passwords on separate files. To facilitate this, Hive will also accept: > * A configuration for a path to a credential store to use for jobs. This should already be uploaded in HDFS. (hive.server2.job.keystore.location or a better name) If this is not specified, then HS2 will simply use the value of hadoop.security.credential.provider.path. > * An environment variable for the password to decrypt the credential store (HIVE_JOB_KEYSTORE_PASSWORD or better). If this is not specified, then HS2 will simply use the standard environment variable for decrypting the Hadoop Credential Provider. -- This message was sent by Atlassian JIRA (v6.3.4#6332)