AMBARI-17950. Fix the 'Hive Metastore' password getting exposed in Hive2 client's hive-site.xml.
diff --git a/ambari-server/src/main/resources/common-services/HIVE/0.12.0.2.0/package/scripts/hive_interactive.py b/ambari-server/src/main/resources/common-services/HIVE/0.12.0.2.0/package/scripts/hive_interactive.py
index 2c205b5..f09a9f2 100644
--- a/ambari-server/src/main/resources/common-services/HIVE/0.12.0.2.0/package/scripts/hive_interactive.py
+++ b/ambari-server/src/main/resources/common-services/HIVE/0.12.0.2.0/package/scripts/hive_interactive.py
@@ -65,6 +65,9 @@
exclude_list = ['hive.enforce.bucketing',
'hive.enforce.sorting']
+ # List of configs to be excluded from hive2 client, but present in Hive2 server.
+ exclude_list_for_hive2_client = ['javax.jdo.option.ConnectionPassword']
+
# Copy Tarballs in HDFS.
if params.stack_version_formatted_major and check_stack_feature(StackFeature.ROLLING_UPGRADE, params.stack_version_formatted_major):
resource_created = copy_to_hdfs("tez_hive2",
@@ -142,14 +145,33 @@
# hive-exec-log4j2.properties
# beeline-log4j2.properties
- for conf_dir in params.hive_conf_dirs_list:
- XmlConfig("hive-site.xml",
- conf_dir=conf_dir,
- configurations=merged_hive_interactive_site,
- configuration_attributes=params.config['configuration_attributes']['hive-interactive-site'],
- owner=params.hive_user,
- group=params.user_group,
- mode=0644)
+ hive2_conf_dirs_list = params.hive_conf_dirs_list
+ hive2_client_conf_path = format("{stack_root}/current/{component_directory}/conf")
+
+ # Making copy of 'merged_hive_interactive_site' in 'merged_hive_interactive_site_copy', and deleting 'javax.jdo.option.ConnectionPassword'
+ # config from there, as Hive2 client shouldn't have that config.
+ merged_hive_interactive_site_copy = merged_hive_interactive_site.copy()
+ for item in exclude_list_for_hive2_client:
+ if item in merged_hive_interactive_site.keys():
+ del merged_hive_interactive_site_copy[item]
+
+ for conf_dir in hive2_conf_dirs_list:
+ if conf_dir == hive2_client_conf_path:
+ XmlConfig("hive-site.xml",
+ conf_dir=conf_dir,
+ configurations=merged_hive_interactive_site_copy,
+ configuration_attributes=params.config['configuration_attributes']['hive-interactive-site'],
+ owner=params.hive_user,
+ group=params.user_group,
+ mode=0644)
+ else:
+ XmlConfig("hive-site.xml",
+ conf_dir=conf_dir,
+ configurations=merged_hive_interactive_site,
+ configuration_attributes=params.config['configuration_attributes']['hive-interactive-site'],
+ owner=params.hive_user,
+ group=params.user_group,
+ mode=0644)
XmlConfig("hiveserver2-site.xml",
conf_dir=conf_dir,
diff --git a/ambari-server/src/test/python/stacks/2.5/HIVE/test_hive_server_int.py b/ambari-server/src/test/python/stacks/2.5/HIVE/test_hive_server_int.py
index a48ebee..c3c977f 100644
--- a/ambari-server/src/test/python/stacks/2.5/HIVE/test_hive_server_int.py
+++ b/ambari-server/src/test/python/stacks/2.5/HIVE/test_hive_server_int.py
@@ -298,17 +298,37 @@
# Verify that config files got created under /etc/hive2/conf and /etc/hive2/conf/conf.server
hive_conf_dirs_list = ['/usr/hdp/current/hive-server2-hive2/conf', '/usr/hdp/current/hive-server2-hive2/conf/conf.server']
+ # Making copy of 'hive_site_conf' in 'hive_site_conf_for_client', and deleting 'javax.jdo.option.ConnectionPassword' config
+ # from there.
+ hive_site_conf_for_client = hive_site_conf.copy()
+ del hive_site_conf_for_client['javax.jdo.option.ConnectionPassword']
+
for conf_dir in hive_conf_dirs_list:
- self.assertResourceCalled('XmlConfig', 'hive-site.xml',
- group='hadoop',
- conf_dir=conf_dir,
- mode=0644,
- configuration_attributes={u'final': {u'hive.optimize.bucketmapjoin.sortedmerge': u'true',
- u'javax.jdo.option.ConnectionDriverName': u'true',
- u'javax.jdo.option.ConnectionPassword': u'true'}},
- owner='hive',
- configurations=hive_site_conf,
- )
+ # if 'conf_dir' is '/usr/hdp/current/hive-server2-hive2/conf', we don't expect 'javax.jdo.option.ConnectionPassword' config
+ # to be part of 'hive_site_conf', as we delete it for the HIVE client file. Thus, deleting it here for checking the contents.
+ if conf_dir == '/usr/hdp/current/hive-server2-hive2/conf':
+ self.assertResourceCalled('XmlConfig', 'hive-site.xml',
+ group='hadoop',
+ conf_dir=conf_dir,
+ mode=0644,
+ configuration_attributes={u'final': {u'hive.optimize.bucketmapjoin.sortedmerge': u'true',
+ u'javax.jdo.option.ConnectionDriverName': u'true',
+ u'javax.jdo.option.ConnectionPassword': u'true'}},
+ owner='hive',
+ configurations=hive_site_conf_for_client,
+ )
+ else:
+ self.assertResourceCalled('XmlConfig', 'hive-site.xml',
+ group='hadoop',
+ conf_dir=conf_dir,
+ mode=0644,
+ configuration_attributes={u'final': {u'hive.optimize.bucketmapjoin.sortedmerge': u'true',
+ u'javax.jdo.option.ConnectionDriverName': u'true',
+ u'javax.jdo.option.ConnectionPassword': u'true'}},
+ owner='hive',
+ configurations=hive_site_conf,
+ )
+
self.assertResourceCalled('XmlConfig', 'hiveserver2-site.xml',
group='hadoop',
conf_dir=conf_dir,
