HIVE-27308: Avoid exposing client keystore and truststore passwords in the JDBC URL

[VenuReddy2103]

What changes were proposed in this pull request?

Added a new property storePasswordPath to JDBC URL that point to the local JCE keystore file storing the password aliases. When an existing password property is present in URL, ignores to fetch that particular alias from local jceks(i.e., giving preference to existing password property). And if password property is not present in URL, fetches the password from local jceks file specified in storePasswordPath property. Hive JDBC can obtains the passwords with Configuration.getPassword API to read the password from jceks file.

JDBC URL would look like -
beeline -u "jdbc:hive2://kvr-host:10001/default;retries=5;ssl=true;sslTrustStore=/tmp/truststore.jks;transportMode=http;httpPath=cliservice;twoWay=true;sslKeyStore=/tmp/keystore.jks;storePasswordPath=localjceks://file/tmp/client_creds.jceks"

Why are the changes needed?

At present, we may have trustStorePassword, keyStorePassword, zooKeeperTruststorePassword, zooKeeperKeystorePassword passwords in the JDBC URL. Exposing these passwords in URL can be a security concern. We can hide all these passwords from JDBC URL when we protect these passwords in a local JCEKS keystore file and pass the JCEKS file path to URL instead.

Does this PR introduce any user-facing change?

Optional storePasswordPath property is supported in JDBC URL. Existing trustStorePassword, keyStorePassword, zooKeeperTruststorePassword, zooKeeperKeystorePassword properties continue to exist and are supported in JDBC URL without any change in their behavior. When both password(s) and storePasswordPath properties are present in URL, password(s) property is preferred. storePasswordPath property is effective only when password(s) property is not in JDBC URL.

How was this patch tested?

Tested manually

[VenuReddy2103]

@saihemanth-cloudera @dengzhhu653 Could you please help review this PR

[dengzhhu653]

Seems like we load all credentials from the same creds file, is this by design?

And we can add some comment how to use the key to generate the local creds, looks like we use JdbcConnectionParams.SSL_KEY_STORE_PASSWORD as the key.

[saihemanth-cloudera]

Can we move all these three types of passwords to a different API? This API can take in the String key as a parameter and return a string password. You can then call the API at lines #900, #1018, and #1037.

[VenuReddy2103]

Seems like we load all credentials from the same creds file, is this by design?

And we can add some comment how to use the key to generate the local creds, looks like we use JdbcConnectionParams.SSL_KEY_STORE_PASSWORD as the key.

Yes. We store all the passwords in the same file. Will document about the generation and usage in cwiki https://cwiki.apache.org/confluence/display/Hive/HiveServer2+Clients

[VenuReddy2103]

Can we move all these three types of passwords to a different API? This API can take in the String key as a parameter and return a string password. You can then call the API at lines #900, #1018, and #1037.

Done. Added an API in Utils.java that takes map and key as arguments. First tries to find the password from map. If not found, then gets it from credential provider.

[saihemanth-cloudera]

Instead of creating a new config, can we reuse the setHiveConfs() L#326-#328?

[VenuReddy2103]

Used org.apache.hadoop.conf.Configuration object because Configuration.getPassword resolve the key as an alias through the CredentialProvider API internally. So we can avoid using the CredentialProvider APIs to fetch password explicitly in our code.

[sonarcloud]

Kudos, SonarCloud Quality Gate passed!   

0 Bugs
0 Vulnerabilities
0 Security Hotspots
28 Code Smells

No Coverage information
No Duplication information

[saihemanth-cloudera]

LGTM +1.