From issues-return-147689-archive-asf-public=cust-asf.ponee.io@hive.apache.org Thu Jan 24 19:46:04 2019 Return-Path: X-Original-To: archive-asf-public@cust-asf.ponee.io Delivered-To: archive-asf-public@cust-asf.ponee.io Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by mx-eu-01.ponee.io (Postfix) with SMTP id E180B18062C for ; Thu, 24 Jan 2019 19:46:03 +0100 (CET) Received: (qmail 57362 invoked by uid 500); 24 Jan 2019 18:46:03 -0000 Mailing-List: contact issues-help@hive.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@hive.apache.org Delivered-To: mailing list issues@hive.apache.org Received: (qmail 57353 invoked by uid 99); 24 Jan 2019 18:46:03 -0000 Received: from pnap-us-west-generic-nat.apache.org (HELO spamd4-us-west.apache.org) (209.188.14.142) by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 24 Jan 2019 18:46:03 +0000 Received: from localhost (localhost [127.0.0.1]) by spamd4-us-west.apache.org (ASF Mail Server at spamd4-us-west.apache.org) with ESMTP id 88E7CC0156 for ; Thu, 24 Jan 2019 18:46:02 +0000 (UTC) X-Virus-Scanned: Debian amavisd-new at spamd4-us-west.apache.org X-Spam-Flag: NO X-Spam-Score: -109.501 X-Spam-Level: X-Spam-Status: No, score=-109.501 tagged_above=-999 required=6.31 tests=[ENV_AND_HDR_SPF_MATCH=-0.5, KAM_ASCII_DIVIDERS=0.8, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, USER_IN_DEF_SPF_WL=-7.5, USER_IN_WHITELIST=-100] autolearn=disabled Received: from mx1-lw-eu.apache.org ([10.40.0.8]) by localhost (spamd4-us-west.apache.org [10.40.0.11]) (amavisd-new, port 10024) with ESMTP id VmL0EvyApwWe for ; Thu, 24 Jan 2019 18:46:01 +0000 (UTC) Received: from mailrelay1-us-west.apache.org (mailrelay1-us-west.apache.org [209.188.14.139]) by mx1-lw-eu.apache.org (ASF Mail Server at mx1-lw-eu.apache.org) with ESMTP id 152505F643 for ; Thu, 24 Jan 2019 18:46:01 +0000 (UTC) Received: from jira-lw-us.apache.org (unknown [207.244.88.139]) by mailrelay1-us-west.apache.org (ASF Mail Server at mailrelay1-us-west.apache.org) with ESMTP id 54395E2072 for ; Thu, 24 Jan 2019 18:46:00 +0000 (UTC) Received: from jira-lw-us.apache.org (localhost [127.0.0.1]) by jira-lw-us.apache.org (ASF Mail Server at jira-lw-us.apache.org) with ESMTP id 0B57E242C0 for ; Thu, 24 Jan 2019 18:46:00 +0000 (UTC) Date: Thu, 24 Jan 2019 18:46:00 +0000 (UTC) From: "Morio Ramdenbourg (JIRA)" To: issues@hive.apache.org Message-ID: In-Reply-To: References: Subject: [jira] [Work started] (HIVE-21083) Remove the requirement to specify the truststore location when TLS to the database is turned on MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit X-JIRA-FingerPrint: 30527f35849b9dde25b450d4833f0394 [ https://issues.apache.org/jira/browse/HIVE-21083?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Work on HIVE-21083 started by Morio Ramdenbourg. ------------------------------------------------ > Remove the requirement to specify the truststore location when TLS to the database is turned on > ----------------------------------------------------------------------------------------------- > > Key: HIVE-21083 > URL: https://issues.apache.org/jira/browse/HIVE-21083 > Project: Hive > Issue Type: Improvement > Components: Metastore, Standalone Metastore > Affects Versions: 4.0.0 > Reporter: Morio Ramdenbourg > Assignee: Morio Ramdenbourg > Priority: Major > > In the current implementation, [ObjectStore.configureSSL|https://github.com/apache/hive/blob/master/standalone-metastore/metastore-server/src/main/java/org/apache/hadoop/hive/metastore/ObjectStore.java#L349-L382] throws an exception if TLS to the database is turned on (_metastore.dbaccess.ssl.use.SSL_) but a truststore file location (_metastore.dbaccess.ssl.truststore.path_) is not specified. > However, according to the [JSSE (Java 8) documentation|https://docs.oracle.com/javase/8/docs/technotes/guides/security/jsse/JSSERefGuide.html#InstallationAndCustomization], the Java truststore file location system property (_javax.net.ssl.trustStore_) defaults to using the "_jssecacerts_, if it exists. Otherwise, _cacerts_" files. These are the default truststores that come with the Java installation and contain a list of well-known certificate authorities. > It was identified that one valid way of configuring TLS is by adding to these default files. In that case, no changes to the truststore properties are necessary. We should support this case by changing the following logic to remove the requirement for the truststore file location config property: > {code:java} > String trustStorePath = MetastoreConf.getVar(conf, > ConfVars.DBACCESS_SSL_TRUSTSTORE_PATH).trim(); > if (trustStorePath.isEmpty()) { > throw new IllegalArgumentException("SSL to the database store has been enabled but " + > ConfVars.DBACCESS_SSL_TRUSTSTORE_PATH.toString() + " is empty. " > + "Set this property to enable SSL."); > } > {code} > We should also loosen the requirement on the truststore password if the user decides to use the Java defaults -- This message was sent by Atlassian JIRA (v7.6.3#76005)