Changes to enable ssl/tls in hms

Co-authored-by: Arin Mathew <[email protected]>

Added default value to correct formating

Author: bibith4

Diff for: .github/workflows/hive-tests.yml

@@ -114,6 +114,9 @@ jobs:
         run: |
           export MAVEN_OPTS="${MAVEN_INSTALL_OPTS}"
           ./mvnw install ${MAVEN_FAST_INSTALL} -am -pl :presto-hive
-      - name: Run Hive Dockerized Tests
+      - name: Run Hive Insert Overwrite Tests
         if: needs.changes.outputs.codechange == 'true'
         run: ./mvnw test ${MAVEN_TEST} -pl :presto-hive -P test-hive-insert-overwrite
+      - name: Run Hive SSL Enabled Tests
+        if: needs.changes.outputs.codechange == 'true'
+        run: ./mvnw test ${MAVEN_TEST} -pl :presto-hive -P test-ssl-enabled-hms

Diff for: presto-docs/src/main/sphinx/connector/hive.rst

@@ -232,6 +232,16 @@ Property Name                                                         Descriptio
 ``hive.invalidate-metastore-cache-procedure-enabled``    When enabled, users will be able to invalidate metastore        false
                                                          cache on demand.
 
+``hive.metastore.thrift.client.tls.enabled``             Whether TLS security is enabled.                                false
+
+``hive.metastore.thrift.client.tls.keystore.path``       Path to the PEM or JKS key store.                               NONE
+
+``hive.metastore.thrift.client.tls.keystore.password``   Password for the key store.                                     NONE
+
+``hive.metastore.thrift.client.tls.truststore.path``     Path to the PEM or JKS trust store.                             NONE
+
+``hive.metastore.thrift.client.tls.truststore.password`` Password for the trust store                                    NONE
+
 ======================================================= ============================================================= ============
 
 AWS Glue Catalog Configuration Properties

Diff for: presto-hive-common/src/main/java/com/facebook/presto/hive/HiveErrorCode.java

@@ -75,6 +75,7 @@ public enum HiveErrorCode
     HIVE_METASTORE_USER_ERROR(47, USER_ERROR),
     HIVE_RANGER_SERVER_ERROR(48, EXTERNAL),
     HIVE_FUNCTION_INITIALIZATION_ERROR(49, EXTERNAL),
+    HIVE_METASTORE_INITIALIZE_SSL_ERROR(50, EXTERNAL),
     /**/;
 
     private final ErrorCode errorCode;

Diff for: presto-hive-metastore/pom.xml

@@ -71,6 +71,12 @@
             <artifactId>slice</artifactId>
         </dependency>
 
+        <dependency>
+            <groupId>io.airlift</groupId>
+            <artifactId>security</artifactId>
+            <version>200</version>
+        </dependency>
+
         <dependency>
             <groupId>com.fasterxml.jackson.core</groupId>
             <artifactId>jackson-core</artifactId>

Diff for: presto-hive-metastore/src/main/java/com/facebook/presto/hive/MetastoreClientConfig.java

@@ -25,6 +25,7 @@
 import javax.validation.constraints.Min;
 import javax.validation.constraints.NotNull;
 
+import java.io.File;
 import java.util.concurrent.TimeUnit;
 
 import static java.util.concurrent.TimeUnit.MINUTES;
@@ -54,6 +55,12 @@ public class MetastoreClientConfig
     private boolean deleteFilesOnTableDrop;
     private boolean invalidateMetastoreCacheProcedureEnabled;
 
+    private boolean metastoreTlsEnabled;
+    private File metastoreTlsKeystorePath;
+    private String metastoreTlsKeystorePassword;
+    private File metastoreTlsTruststorePath;
+    private String metastoreTlsTruststorePassword;
+
     public HostAndPort getMetastoreSocksProxy()
     {
         return metastoreSocksProxy;
@@ -317,4 +324,60 @@ public MetastoreClientConfig setInvalidateMetastoreCacheProcedureEnabled(boolean
         this.invalidateMetastoreCacheProcedureEnabled = invalidateMetastoreCacheProcedureEnabled;
         return this;
     }
+
+    @Config("hive.metastore.thrift.client.tls.enabled")
+    @ConfigDescription("Enable TLS security for HMS")
+    public MetastoreClientConfig setMetastoreTlsEnabled(boolean enabled)
+    {
+        this.metastoreTlsEnabled = enabled;
+        return this;
+    }
+    public boolean getMetastoreTlsEnabled()
+    {
+        return metastoreTlsEnabled;
+    }
+    @Config("hive.metastore.thrift.client.tls.keystore.path")
+    @ConfigDescription("Path to JKS or PEM key store")
+    public MetastoreClientConfig setMetastoreTlsKeystorePath(File keystorePath)
+    {
+        this.metastoreTlsKeystorePath = keystorePath;
+        return this;
+    }
+    public File getMetastoreTlsKeystorePath()
+    {
+        return metastoreTlsKeystorePath;
+    }
+    @Config("hive.metastore.thrift.client.tls.keystore.password")
+    @ConfigDescription("Password to key store")
+    public MetastoreClientConfig setMetastoreTlsKeystorePassword(String keystorePassword)
+    {
+        this.metastoreTlsKeystorePassword = keystorePassword;
+        return this;
+    }
+    public String getMetastoreTlsKeystorePassword()
+    {
+        return metastoreTlsKeystorePassword;
+    }
+    @Config("hive.metastore.thrift.client.tls.truststore.path")
+    @ConfigDescription("Path to JKS or PEM trust store")
+    public MetastoreClientConfig setMetastoreTlsTruststorePath(File truststorePath)
+    {
+        this.metastoreTlsTruststorePath = truststorePath;
+        return this;
+    }
+    public File getMetastoreTlsTruststorePath()
+    {
+        return metastoreTlsTruststorePath;
+    }
+    @Config("hive.metastore.thrift.client.tls.truststore.password")
+    @ConfigDescription("Path to trust store")
+    public MetastoreClientConfig setMetastoreTlsTruststorePassword(String truststorePassword)
+    {
+        this.metastoreTlsTruststorePassword = truststorePassword;
+        return this;
+    }
+    public String getMetastoreTlsTruststorePassword()
+    {
+        return metastoreTlsTruststorePassword;
+    }
 }

Diff for: presto-hive-metastore/src/main/java/com/facebook/presto/hive/metastore/thrift/HiveMetastoreClientFactory.java

@@ -15,16 +15,38 @@
 
 import com.facebook.presto.hive.MetastoreClientConfig;
 import com.facebook.presto.hive.authentication.HiveMetastoreAuthentication;
+import com.facebook.presto.spi.PrestoException;
 import com.google.common.net.HostAndPort;
+import io.airlift.security.pem.PemReader;
 import io.airlift.units.Duration;
 import org.apache.thrift.transport.TTransportException;
 
 import javax.inject.Inject;
+import javax.net.ssl.KeyManager;
+import javax.net.ssl.KeyManagerFactory;
 import javax.net.ssl.SSLContext;
+import javax.net.ssl.TrustManager;
+import javax.net.ssl.TrustManagerFactory;
+import javax.net.ssl.X509TrustManager;
+import javax.security.auth.x500.X500Principal;
 
+import java.io.File;
+import java.io.FileInputStream;
+import java.io.IOException;
+import java.io.InputStream;
+import java.security.GeneralSecurityException;
+import java.security.KeyStore;
+import java.security.cert.Certificate;
+import java.security.cert.CertificateExpiredException;
+import java.security.cert.CertificateNotYetValidException;
+import java.security.cert.X509Certificate;
+import java.util.Arrays;
+import java.util.List;
 import java.util.Optional;
 
+import static com.facebook.presto.hive.HiveErrorCode.HIVE_METASTORE_INITIALIZE_SSL_ERROR;
 import static java.lang.Math.toIntExact;
+import static java.util.Collections.list;
 import static java.util.Objects.requireNonNull;
 
 public class HiveMetastoreClientFactory
@@ -33,6 +55,7 @@ public class HiveMetastoreClientFactory
     private final Optional<HostAndPort> socksProxy;
     private final int timeoutMillis;
     private final HiveMetastoreAuthentication metastoreAuthentication;
+    public static final String PROTOCOL = "SSL";
 
     public HiveMetastoreClientFactory(
             Optional<SSLContext> sslContext,
@@ -49,12 +72,138 @@ public HiveMetastoreClientFactory(
     @Inject
     public HiveMetastoreClientFactory(MetastoreClientConfig metastoreClientConfig, HiveMetastoreAuthentication metastoreAuthentication)
     {
-        this(Optional.empty(), Optional.ofNullable(metastoreClientConfig.getMetastoreSocksProxy()), metastoreClientConfig.getMetastoreTimeout(), metastoreAuthentication);
+        this(metastoreSslContext(metastoreClientConfig.getMetastoreTlsEnabled(), Optional.ofNullable(metastoreClientConfig.getMetastoreTlsKeystorePath()), Optional.ofNullable(metastoreClientConfig.getMetastoreTlsKeystorePassword()), Optional.ofNullable(metastoreClientConfig.getMetastoreTlsTruststorePath()), Optional.ofNullable(metastoreClientConfig.getMetastoreTlsTruststorePassword())), Optional.ofNullable(metastoreClientConfig.getMetastoreSocksProxy()), metastoreClientConfig.getMetastoreTimeout(), metastoreAuthentication);
     }
 
     public HiveMetastoreClient create(HostAndPort address, Optional<String> token)
             throws TTransportException
     {
         return new ThriftHiveMetastoreClient(Transport.create(address, sslContext, socksProxy, timeoutMillis, metastoreAuthentication, token));
     }
+
+    /**
+     * Reads the truststore and keystore and returns the SSLContext
+     * @param metastoreTlsEnabled
+     * @param metastoreKeyStorePath
+     * @param metastoreKeyStorePassword
+     * @param metastoreTrustStorePath
+     * @param metastoreTrustStorePassword
+     * @return SSLContext
+     */
+    private static Optional<SSLContext> metastoreSslContext(boolean metastoreTlsEnabled, Optional<File> metastoreKeyStorePath, Optional<String> metastoreKeyStorePassword, Optional<File> metastoreTrustStorePath, Optional<String> metastoreTrustStorePassword)
+    {
+        if (!metastoreTlsEnabled || (!metastoreKeyStorePath.isPresent() && !metastoreTrustStorePath.isPresent())) {
+            return Optional.empty();
+        }
+
+        try {
+            KeyStore metastoreKeyStore = null;
+            KeyManager[] metastoreKeyManagers = null;
+            if (metastoreKeyStorePath.isPresent()) {
+                char[] keyManagerPassword;
+                try {
+                    // attempt to read the key store as a PEM file
+                    metastoreKeyStore = PemReader.loadKeyStore(metastoreKeyStorePath.get(), metastoreKeyStorePath.get(), metastoreKeyStorePassword);
+                    // for PEM encoded keys, the password is used to decrypt the specific key (and does not protect the keystore itself)
+                    keyManagerPassword = new char[0];
+                }
+                catch (GeneralSecurityException | IOException ignored) {
+                    keyManagerPassword = metastoreKeyStorePassword.map(String::toCharArray).orElse(null);
+
+                    metastoreKeyStore = KeyStore.getInstance(KeyStore.getDefaultType());
+                    try (InputStream in = new FileInputStream(metastoreKeyStorePath.get())) {
+                        metastoreKeyStore.load(in, keyManagerPassword);
+                    }
+                }
+                validateKeyStoreCertificates(metastoreKeyStore);
+                final KeyManagerFactory metastoreKeyManagerFactory = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());
+                metastoreKeyManagerFactory.init(metastoreKeyStore, keyManagerPassword);
+                metastoreKeyManagers = metastoreKeyManagerFactory.getKeyManagers();
+            }
+
+            // load TrustStore if configured, otherwise use KeyStore
+            KeyStore metastoreTrustStore = metastoreKeyStore;
+            if (metastoreTrustStorePath.isPresent()) {
+                metastoreTrustStore = getTrustStore(metastoreTrustStorePath.get(), metastoreTrustStorePassword);
+            }
+
+            // create TrustManagerFactory
+            final TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
+            trustManagerFactory.init(metastoreTrustStore);
+
+            // get X509TrustManager
+            final TrustManager[] trustManagers = trustManagerFactory.getTrustManagers();
+            if (trustManagers.length != 1 || !(trustManagers[0] instanceof X509TrustManager)) {
+                throw new RuntimeException("Unexpected default trust managers:" + Arrays.toString(trustManagers));
+            }
+
+            // create SSLContext
+            final SSLContext sslContext = SSLContext.getInstance(PROTOCOL);
+            sslContext.init(metastoreKeyManagers, trustManagers, null);
+            return Optional.of(sslContext);
+        }
+        catch (GeneralSecurityException | IOException e) {
+            throw new PrestoException(HIVE_METASTORE_INITIALIZE_SSL_ERROR, e);
+        }
+    }
+
+    /**
+     * Reads the truststore certificate and returns it
+     * @param trustStorePath
+     * @param trustStorePassword
+     * @throws IOException
+     * @throws GeneralSecurityException
+     */
+    private static KeyStore getTrustStore(File trustStorePath, Optional<String> trustStorePassword)
+            throws IOException, GeneralSecurityException
+    {
+        final KeyStore trustStore = KeyStore.getInstance(KeyStore.getDefaultType());
+        try {
+            // attempt to read the trust store as a PEM file
+            final List<X509Certificate> certificateChain = PemReader.readCertificateChain(trustStorePath);
+            if (!certificateChain.isEmpty()) {
+                trustStore.load(null, null);
+                for (X509Certificate certificate : certificateChain) {
+                    final X500Principal principal = certificate.getSubjectX500Principal();
+                    trustStore.setCertificateEntry(principal.getName(), certificate);
+                }
+                return trustStore;
+            }
+        }
+        catch (IOException | GeneralSecurityException ignored) {
+        }
+
+        try (InputStream in = new FileInputStream(trustStorePath)) {
+            trustStore.load(in, trustStorePassword.map(String::toCharArray).orElse(null));
+        }
+        return trustStore;
+    }
+
+    /**
+     * Validate keystore certificate
+     * @param keyStore
+     * @throws GeneralSecurityException
+     */
+    private static void validateKeyStoreCertificates(KeyStore keyStore) throws GeneralSecurityException
+    {
+        for (String alias : list(keyStore.aliases())) {
+            if (!keyStore.isKeyEntry(alias)) {
+                continue;
+            }
+            final Certificate certificate = keyStore.getCertificate(alias);
+            if (!(certificate instanceof X509Certificate)) {
+                continue;
+            }
+
+            try {
+                ((X509Certificate) certificate).checkValidity();
+            }
+            catch (CertificateExpiredException e) {
+                throw new CertificateExpiredException("KeyStore certificate is expired: " + e.getMessage());
+            }
+            catch (CertificateNotYetValidException e) {
+                throw new CertificateNotYetValidException("KeyStore certificate is not yet valid: " + e.getMessage());
+            }
+        }
+    }
 }

Diff for: presto-hive-metastore/src/test/java/com/facebook/presto/hive/metastore/TestMetastoreClientConfig.java

@@ -22,6 +22,7 @@
 import io.airlift.units.Duration;
 import org.testng.annotations.Test;
 
+import java.io.File;
 import java.util.Map;
 import java.util.concurrent.TimeUnit;
 
@@ -50,7 +51,12 @@ public void testDefaults()
                 .setPartitionCacheColumnCountLimit(500)
                 .setHiveMetastoreAuthenticationType(HiveMetastoreAuthenticationType.NONE)
                 .setDeleteFilesOnTableDrop(false)
-                .setInvalidateMetastoreCacheProcedureEnabled(false));
+                .setInvalidateMetastoreCacheProcedureEnabled(false)
+                .setMetastoreTlsEnabled(false)
+                .setMetastoreTlsKeystorePath(null)
+                .setMetastoreTlsKeystorePassword(null)
+                .setMetastoreTlsTruststorePath(null)
+                .setMetastoreTlsTruststorePassword(null));
     }
 
     @Test
@@ -77,6 +83,11 @@ public void testExplicitPropertyMappings()
                 .put("hive.metastore.authentication.type", "KERBEROS")
                 .put("hive.metastore.thrift.delete-files-on-table-drop", "true")
                 .put("hive.invalidate-metastore-cache-procedure-enabled", "true")
+                .put("hive.metastore.thrift.client.tls.enabled", "true")
+                .put("hive.metastore.thrift.client.tls.keystore.path", "/tmp/keystore")
+                .put("hive.metastore.thrift.client.tls.keystore.password", "tmp-keystore-password")
+                .put("hive.metastore.thrift.client.tls.truststore.path", "/tmp/truststore")
+                .put("hive.metastore.thrift.client.tls.truststore.password", "tmp-truststore-password")
                 .build();
 
         MetastoreClientConfig expected = new MetastoreClientConfig()
@@ -99,7 +110,12 @@ public void testExplicitPropertyMappings()
                 .setPartitionCacheColumnCountLimit(50)
                 .setHiveMetastoreAuthenticationType(HiveMetastoreAuthenticationType.KERBEROS)
                 .setDeleteFilesOnTableDrop(true)
-                .setInvalidateMetastoreCacheProcedureEnabled(true);
+                .setInvalidateMetastoreCacheProcedureEnabled(true)
+                .setMetastoreTlsEnabled(true)
+                .setMetastoreTlsKeystorePath(new File("/tmp/keystore"))
+                .setMetastoreTlsKeystorePassword("tmp-keystore-password")
+                .setMetastoreTlsTruststorePath(new File("/tmp/truststore"))
+                .setMetastoreTlsTruststorePassword("tmp-truststore-password");
 
         ConfigAssertions.assertFullMapping(properties, expected);
     }

Diff for: presto-hive/pom.xml

@@ -697,5 +697,21 @@
                 </plugins>
             </build>
         </profile>
+        <profile>
+            <id>test-ssl-enabled-hms</id>
+            <build>
+                <plugins>
+                    <plugin>
+                        <groupId>org.apache.maven.plugins</groupId>
+                        <artifactId>maven-surefire-plugin</artifactId>
+                        <configuration>
+                            <includes>
+                                <include>**/TestHiveSslEnableTrustStore.java</include>
+                            </includes>
+                        </configuration>
+                    </plugin>
+                </plugins>
+            </build>
+        </profile>
     </profiles>
 </project>