hive-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Morio Ramdenbourg (JIRA)" <j...@apache.org>
Subject [jira] [Work started] (HIVE-21083) Remove the requirement to specify the truststore location when TLS to the database is turned on
Date Thu, 24 Jan 2019 18:46:00 GMT

     [ https://issues.apache.org/jira/browse/HIVE-21083?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]

Work on HIVE-21083 started by Morio Ramdenbourg.
------------------------------------------------
> Remove the requirement to specify the truststore location when TLS to the database is
turned on
> -----------------------------------------------------------------------------------------------
>
>                 Key: HIVE-21083
>                 URL: https://issues.apache.org/jira/browse/HIVE-21083
>             Project: Hive
>          Issue Type: Improvement
>          Components: Metastore, Standalone Metastore
>    Affects Versions: 4.0.0
>            Reporter: Morio Ramdenbourg
>            Assignee: Morio Ramdenbourg
>            Priority: Major
>
> In the current implementation, [ObjectStore.configureSSL|https://github.com/apache/hive/blob/master/standalone-metastore/metastore-server/src/main/java/org/apache/hadoop/hive/metastore/ObjectStore.java#L349-L382]
throws an exception if TLS to the database is turned on (_metastore.dbaccess.ssl.use.SSL_)
but a truststore file location (_metastore.dbaccess.ssl.truststore.path_) is not specified.
> However, according to the [JSSE (Java 8) documentation|https://docs.oracle.com/javase/8/docs/technotes/guides/security/jsse/JSSERefGuide.html#InstallationAndCustomization],
the Java truststore file location system property (_javax.net.ssl.trustStore_) defaults to
using the "_jssecacerts_, if it exists. Otherwise, _cacerts_" files. These are the default
truststores that come with the Java installation and contain a list of well-known certificate
authorities.
> It was identified that one valid way of configuring TLS is by adding to these default
files. In that case, no changes to the truststore properties are necessary. We should support
this case by changing the following logic to remove the requirement for the truststore file
location config property:
> {code:java}
> String trustStorePath = MetastoreConf.getVar(conf, 
>         ConfVars.DBACCESS_SSL_TRUSTSTORE_PATH).trim();
> if (trustStorePath.isEmpty()) {
>         throw new IllegalArgumentException("SSL to the database store has been enabled
but " + 
>         ConfVars.DBACCESS_SSL_TRUSTSTORE_PATH.toString() + " is empty. "
>         + "Set this property to enable SSL.");
> }
> {code}
> We should also loosen the requirement on the truststore password if the user decides
to use the Java defaults



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

Mime
View raw message