hive-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Hive QA (JIRA)" <>
Subject [jira] [Commented] (HIVE-17152) Improve security of random generator for HS2 cookies
Date Fri, 21 Jul 2017 20:17:00 GMT


Hive QA commented on HIVE-17152:

Here are the results of testing the latest attachment:

{color:red}ERROR:{color} -1 due to no test(s) being added or modified.

{color:red}ERROR:{color} -1 due to 12 failed/errored test(s), 11092 tests executed
*Failed tests:*
org.apache.hadoop.hive.cli.TestMiniLlapCliDriver.testCliDriver[llap_smb] (batchId=144)
org.apache.hadoop.hive.cli.TestMiniLlapLocalCliDriver.testCliDriver[subquery_scalar] (batchId=153)
org.apache.hadoop.hive.cli.TestPerfCliDriver.testCliDriver[query14] (batchId=235)
org.apache.hadoop.hive.cli.TestPerfCliDriver.testCliDriver[query23] (batchId=235)
org.apache.hive.hcatalog.api.TestHCatClient.testPartitionRegistrationWithCustomSchema (batchId=179)
org.apache.hive.hcatalog.api.TestHCatClient.testTableSchemaPropagation (batchId=179)
org.apache.hive.jdbc.TestJdbcWithMiniHS2.testConcurrentStatements (batchId=228)
org.apache.hive.jdbc.TestJdbcWithMiniHS2.testParallelCompilation2 (batchId=228)

Test results:
Console output:
Test logs:

Executing org.apache.hive.ptest.execution.TestCheckPhase
Executing org.apache.hive.ptest.execution.PrepPhase
Executing org.apache.hive.ptest.execution.ExecutionPhase
Executing org.apache.hive.ptest.execution.ReportingPhase
Tests exited with: TestsFailedException: 12 tests failed

This message is automatically generated.

ATTACHMENT ID: 12878393 - PreCommit-HIVE-Build

> Improve security of random generator for HS2 cookies
> ----------------------------------------------------
>                 Key: HIVE-17152
>                 URL:
>             Project: Hive
>          Issue Type: Bug
>          Components: HiveServer2
>            Reporter: Tao Li
>            Assignee: Tao Li
>         Attachments: HIVE-17152.1.patch
> The random number generated is used as a secret to append to a sequence and SHA to implement
a CookieSigner. If this is attackable, then it's possible for an attacker to sign a cookie
as if we had. We should fix this and use SecureRandom as a stronger random function .
> HTTPAuthUtils has a similar issue. If that is attackable, an attacker might be able to
create a similar cookie. Paired with the above issue with the CookieSigner, it could reasonably
spoof a HS2 cookie.

This message was sent by Atlassian JIRA

View raw message