Changes to enable ssl/tls in hms

Co-authored-by: Arin Mathew <[email protected]>

Changes to move ssl related properties to seperate class

Author: bibith4

Diff for: .github/workflows/hive-tests.yml

@@ -114,6 +114,9 @@ jobs:
         run: |
           export MAVEN_OPTS="${MAVEN_INSTALL_OPTS}"
           ./mvnw install ${MAVEN_FAST_INSTALL} -am -pl :presto-hive
-      - name: Run Hive Dockerized Tests
+      - name: Run Hive Insert Overwrite Tests
         if: needs.changes.outputs.codechange == 'true'
         run: ./mvnw test ${MAVEN_TEST} -pl :presto-hive -P test-hive-insert-overwrite
+      - name: Run Hive SSL Enabled Tests
+        if: needs.changes.outputs.codechange == 'true'
+        run: ./mvnw test ${MAVEN_TEST} -pl :presto-hive -P test-ssl-enabled-hms

Diff for: presto-delta/src/main/java/com/facebook/presto/delta/DeltaModule.java

@@ -44,6 +44,7 @@
 import com.facebook.presto.hive.metastore.InvalidateMetastoreCacheProcedure;
 import com.facebook.presto.hive.metastore.MetastoreCacheStats;
 import com.facebook.presto.hive.metastore.MetastoreConfig;
+import com.facebook.presto.hive.metastore.thrift.ThriftHiveMetastoreConfig;
 import com.facebook.presto.spi.procedure.Procedure;
 import com.fasterxml.jackson.databind.DeserializationContext;
 import com.fasterxml.jackson.databind.deser.std.FromStringDeserializer;
@@ -104,6 +105,7 @@ protected void setup(Binder binder)
         configBinder(binder).bindConfig(MetastoreConfig.class);
         configBinder(binder).bindConfig(HiveClientConfig.class);
         configBinder(binder).bindConfig(MetastoreClientConfig.class);
+        configBinder(binder).bindConfig(ThriftHiveMetastoreConfig.class);
         binder.bind(MetastoreCacheStats.class).to(HiveMetastoreCacheStats.class).in(Scopes.SINGLETON);
         newExporter(binder).export(MetastoreCacheStats.class).as(generatedNameOf(MetastoreCacheStats.class, connectorId));
         binder.bind(ExtendedHiveMetastore.class).to(InMemoryCachingHiveMetastore.class).in(Scopes.SINGLETON);

Diff for: presto-docs/src/main/sphinx/connector/hive.rst

@@ -213,9 +213,9 @@ Metastore Configuration Properties
 
 The required Hive metastore can be configured with a number of properties.
 
-======================================================= ============================================================= ============
+======================================================== ============================================================= ============
 Property Name                                                         Description                                       Default
-======================================================= ============================================================= ============
+======================================================== ============================================================= ============
 ``hive.metastore-timeout``                               Timeout for Hive metastore requests.                           ``10s``
 
 ``hive.metastore-cache-ttl``                             Duration how long cached metastore data should be considered   ``0s``
@@ -232,7 +232,17 @@ Property Name                                                         Descriptio
 ``hive.invalidate-metastore-cache-procedure-enabled``    When enabled, users will be able to invalidate metastore        false
                                                          cache on demand.
 
-======================================================= ============================================================= ============
+``hive.metastore.thrift.client.tls.enabled``             Whether TLS security is enabled.                                false
+
+``hive.metastore.thrift.client.tls.keystore-path``       Path to the PEM or JKS key store.                               NONE
+
+``hive.metastore.thrift.client.tls.keystore-password``   Password for the key store.                                     NONE
+
+``hive.metastore.thrift.client.tls.truststore-path``     Path to the PEM or JKS trust store.                             NONE
+
+``hive.metastore.thrift.client.tls.truststore-password`` Password for the trust store.                                   NONE
+
+======================================================== ============================================================= ============
 
 AWS Glue Catalog Configuration Properties
 -----------------------------------------

Diff for: presto-hive-common/src/main/java/com/facebook/presto/hive/HiveErrorCode.java

@@ -75,6 +75,7 @@ public enum HiveErrorCode
     HIVE_METASTORE_USER_ERROR(47, USER_ERROR),
     HIVE_RANGER_SERVER_ERROR(48, EXTERNAL),
     HIVE_FUNCTION_INITIALIZATION_ERROR(49, EXTERNAL),
+    HIVE_METASTORE_INITIALIZE_SSL_ERROR(50, EXTERNAL),
     /**/;
 
     private final ErrorCode errorCode;

Diff for: presto-hive-hadoop2/src/test/java/com/facebook/presto/hive/s3select/S3SelectTestHelper.java

@@ -57,6 +57,7 @@
 import com.facebook.presto.hive.metastore.thrift.HiveCluster;
 import com.facebook.presto.hive.metastore.thrift.TestingHiveCluster;
 import com.facebook.presto.hive.metastore.thrift.ThriftHiveMetastore;
+import com.facebook.presto.hive.metastore.thrift.ThriftHiveMetastoreConfig;
 import com.facebook.presto.hive.s3.HiveS3Config;
 import com.facebook.presto.hive.s3.PrestoS3ConfigurationUpdater;
 import com.facebook.presto.hive.s3.S3ConfigurationUpdater;
@@ -110,6 +111,7 @@ public class S3SelectTestHelper
     private HiveClientConfig config;
     private CacheConfig cacheConfig;
     private MetastoreClientConfig metastoreClientConfig;
+    private ThriftHiveMetastoreConfig thriftHiveMetastoreConfig;
 
     public S3SelectTestHelper(String host,
             int port,
@@ -128,13 +130,14 @@ public S3SelectTestHelper(String host,
         config = hiveClientConfig;
         cacheConfig = new CacheConfig();
         metastoreClientConfig = new MetastoreClientConfig();
+        thriftHiveMetastoreConfig = new ThriftHiveMetastoreConfig();
 
         String proxy = System.getProperty("hive.metastore.thrift.client.socks-proxy");
         if (proxy != null) {
             metastoreClientConfig.setMetastoreSocksProxy(HostAndPort.fromString(proxy));
         }
 
-        HiveCluster hiveCluster = new TestingHiveCluster(metastoreClientConfig, host, port);
+        HiveCluster hiveCluster = new TestingHiveCluster(metastoreClientConfig, thriftHiveMetastoreConfig, host, port);
         executor = newCachedThreadPool(daemonThreadsNamed("hive-%s"));
         HivePartitionManager hivePartitionManager = new HivePartitionManager(FUNCTION_AND_TYPE_MANAGER, config);
 

Diff for: presto-hive-metastore/pom.xml

@@ -71,6 +71,12 @@
             <artifactId>slice</artifactId>
         </dependency>
 
+        <dependency>
+            <groupId>io.airlift</groupId>
+            <artifactId>security</artifactId>
+            <version>200</version>
+        </dependency>
+
         <dependency>
             <groupId>com.fasterxml.jackson.core</groupId>
             <artifactId>jackson-core</artifactId>

Diff for: presto-hive-metastore/src/main/java/com/facebook/presto/hive/MetastoreClientModule.java

@@ -13,6 +13,7 @@
  */
 package com.facebook.presto.hive;
 
+import com.facebook.presto.hive.metastore.thrift.ThriftHiveMetastoreConfig;
 import com.google.inject.Binder;
 import com.google.inject.Module;
 
@@ -29,5 +30,6 @@ public MetastoreClientModule()
     public void configure(Binder binder)
     {
         configBinder(binder).bindConfig(MetastoreClientConfig.class);
+        configBinder(binder).bindConfig(ThriftHiveMetastoreConfig.class);
     }
 }

Diff for: presto-hive-metastore/src/main/java/com/facebook/presto/hive/metastore/thrift/HiveMetastoreClientFactory.java

@@ -15,16 +15,38 @@
 
 import com.facebook.presto.hive.MetastoreClientConfig;
 import com.facebook.presto.hive.authentication.HiveMetastoreAuthentication;
+import com.facebook.presto.spi.PrestoException;
 import com.google.common.net.HostAndPort;
+import io.airlift.security.pem.PemReader;
 import io.airlift.units.Duration;
 import org.apache.thrift.transport.TTransportException;
 
 import javax.inject.Inject;
+import javax.net.ssl.KeyManager;
+import javax.net.ssl.KeyManagerFactory;
 import javax.net.ssl.SSLContext;
+import javax.net.ssl.TrustManager;
+import javax.net.ssl.TrustManagerFactory;
+import javax.net.ssl.X509TrustManager;
+import javax.security.auth.x500.X500Principal;
 
+import java.io.File;
+import java.io.FileInputStream;
+import java.io.IOException;
+import java.io.InputStream;
+import java.security.GeneralSecurityException;
+import java.security.KeyStore;
+import java.security.cert.Certificate;
+import java.security.cert.CertificateExpiredException;
+import java.security.cert.CertificateNotYetValidException;
+import java.security.cert.X509Certificate;
+import java.util.Arrays;
+import java.util.List;
 import java.util.Optional;
 
+import static com.facebook.presto.hive.HiveErrorCode.HIVE_METASTORE_INITIALIZE_SSL_ERROR;
 import static java.lang.Math.toIntExact;
+import static java.util.Collections.list;
 import static java.util.Objects.requireNonNull;
 
 public class HiveMetastoreClientFactory
@@ -33,6 +55,7 @@ public class HiveMetastoreClientFactory
     private final Optional<HostAndPort> socksProxy;
     private final int timeoutMillis;
     private final HiveMetastoreAuthentication metastoreAuthentication;
+    public static final String PROTOCOL = "TLS";
 
     public HiveMetastoreClientFactory(
             Optional<SSLContext> sslContext,
@@ -47,14 +70,150 @@ public HiveMetastoreClientFactory(
     }
 
     @Inject
-    public HiveMetastoreClientFactory(MetastoreClientConfig metastoreClientConfig, HiveMetastoreAuthentication metastoreAuthentication)
+    public HiveMetastoreClientFactory(MetastoreClientConfig metastoreClientConfig, ThriftHiveMetastoreConfig thriftHiveMetastoreConfig, HiveMetastoreAuthentication metastoreAuthentication)
     {
-        this(Optional.empty(), Optional.ofNullable(metastoreClientConfig.getMetastoreSocksProxy()), metastoreClientConfig.getMetastoreTimeout(), metastoreAuthentication);
+        this(buildSslContext(thriftHiveMetastoreConfig.isTlsEnabled(),
+                Optional.ofNullable(thriftHiveMetastoreConfig.getKeystorePath()),
+                Optional.ofNullable(thriftHiveMetastoreConfig.getKeystorePassword()),
+                Optional.ofNullable(thriftHiveMetastoreConfig.getTruststorePath()),
+                Optional.ofNullable(thriftHiveMetastoreConfig.getTrustStorePassword())),
+                Optional.ofNullable(metastoreClientConfig.getMetastoreSocksProxy()),
+                metastoreClientConfig.getMetastoreTimeout(), metastoreAuthentication);
     }
 
     public HiveMetastoreClient create(HostAndPort address, Optional<String> token)
             throws TTransportException
     {
         return new ThriftHiveMetastoreClient(Transport.create(address, sslContext, socksProxy, timeoutMillis, metastoreAuthentication, token));
     }
+
+    /**
+     * Reads the truststore and keystore and returns the SSLContext
+     * @param tlsEnabled
+     * @param keystorePath
+     * @param keystorePassword
+     * @param truststorePath
+     * @param trustStorePassword
+     * @return SSLContext
+     */
+    private static Optional<SSLContext> buildSslContext(boolean tlsEnabled,
+                                                        Optional<File> keystorePath,
+                                                        Optional<String> keystorePassword,
+                                                        Optional<File> truststorePath,
+                                                        Optional<String> trustStorePassword)
+    {
+        if (!tlsEnabled || (!keystorePath.isPresent() && !truststorePath.isPresent())) {
+            return Optional.empty();
+        }
+
+        try {
+            KeyStore metastoreKeyStore = null;
+            KeyManager[] metastoreKeyManagers = null;
+            if (keystorePath.isPresent()) {
+                char[] keyManagerPassword;
+                try {
+                    // attempt to read the key store as a PEM file
+                    metastoreKeyStore = PemReader.loadKeyStore(keystorePath.get(), keystorePath.get(), keystorePassword);
+                    // for PEM encoded keys, the password is used to decrypt the specific key (and does not protect the keystore itself)
+                    keyManagerPassword = new char[0];
+                }
+                catch (GeneralSecurityException | IOException ignored) {
+                    keyManagerPassword = keystorePassword.map(String::toCharArray).orElse(null);
+
+                    metastoreKeyStore = KeyStore.getInstance(KeyStore.getDefaultType());
+                    try (InputStream in = new FileInputStream(keystorePath.get())) {
+                        metastoreKeyStore.load(in, keyManagerPassword);
+                    }
+                }
+                validateKeyStoreCertificates(metastoreKeyStore);
+                final KeyManagerFactory metastoreKeyManagerFactory = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());
+                metastoreKeyManagerFactory.init(metastoreKeyStore, keyManagerPassword);
+                metastoreKeyManagers = metastoreKeyManagerFactory.getKeyManagers();
+            }
+
+            // load TrustStore if configured, otherwise use KeyStore
+            KeyStore metastoreTrustStore = metastoreKeyStore;
+            if (truststorePath.isPresent()) {
+                metastoreTrustStore = getTrustStore(truststorePath.get(), trustStorePassword);
+            }
+
+            // create TrustManagerFactory
+            final TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
+            trustManagerFactory.init(metastoreTrustStore);
+
+            // get X509TrustManager
+            final TrustManager[] trustManagers = trustManagerFactory.getTrustManagers();
+            if (trustManagers.length != 1 || !(trustManagers[0] instanceof X509TrustManager)) {
+                throw new RuntimeException("Expected exactly one X509TrustManager, but found:" + Arrays.toString(trustManagers));
+            }
+
+            // create SSLContext
+            final SSLContext sslContext = SSLContext.getInstance(PROTOCOL);
+            sslContext.init(metastoreKeyManagers, trustManagers, null);
+            return Optional.of(sslContext);
+        }
+        catch (GeneralSecurityException | IOException e) {
+            throw new PrestoException(HIVE_METASTORE_INITIALIZE_SSL_ERROR, e);
+        }
+    }
+
+    /**
+     * Reads the truststore certificate and returns it
+     * @param trustStorePath
+     * @param trustStorePassword
+     * @throws IOException
+     * @throws GeneralSecurityException
+     */
+    private static KeyStore getTrustStore(File trustStorePath, Optional<String> trustStorePassword)
+            throws IOException, GeneralSecurityException
+    {
+        final KeyStore trustStore = KeyStore.getInstance(KeyStore.getDefaultType());
+        try {
+            // attempt to read the trust store as a PEM file
+            final List<X509Certificate> certificateChain = PemReader.readCertificateChain(trustStorePath);
+            if (!certificateChain.isEmpty()) {
+                trustStore.load(null, null);
+                for (X509Certificate certificate : certificateChain) {
+                    final X500Principal principal = certificate.getSubjectX500Principal();
+                    trustStore.setCertificateEntry(principal.getName(), certificate);
+                }
+                return trustStore;
+            }
+        }
+        catch (IOException | GeneralSecurityException ignored) {
+        }
+
+        try (InputStream in = new FileInputStream(trustStorePath)) {
+            trustStore.load(in, trustStorePassword.map(String::toCharArray).orElse(null));
+        }
+        return trustStore;
+    }
+
+    /**
+     * Validate keystore certificate
+     * @param keyStore
+     * @throws GeneralSecurityException
+     */
+    private static void validateKeyStoreCertificates(KeyStore keyStore) throws GeneralSecurityException
+    {
+        for (String alias : list(keyStore.aliases())) {
+            if (!keyStore.isKeyEntry(alias)) {
+                continue;
+            }
+            final Certificate certificate = keyStore.getCertificate(alias);
+            if (!(certificate instanceof X509Certificate)) {
+                continue;
+            }
+
+            try {
+                ((X509Certificate) certificate).checkValidity();
+            }
+            catch (CertificateExpiredException e) {
+                throw new CertificateExpiredException("KeyStore certificate is expired: " + e.getMessage());
+            }
+            catch (CertificateNotYetValidException e) {
+                throw new CertificateNotYetValidException("KeyStore certificate is not yet valid: " + e.getMessage());
+            }
+        }
+    }
 }