Changes to enable ssl/tls in hms

[bibith4]

Description

Added SSL/TLS support for hive metastore

Impact

The connection to HMS will be encrypted with TLS for secure communication.

Test Plan

Executed basic queries after enabling TLS in HMS.
Queries got executed successfully.

Contributor checklist

• Please make sure your submission complies with our contributing guide, in particular code style and commit standards.
• PR description addresses the issue accurately and concisely. If the change is non-trivial, a GitHub Issue is referenced.
• Documented new properties (with its default value), SQL syntax, functions, or other functionality.
• If release notes are required, they follow the release notes guidelines.
• Adequate tests were added if applicable.
• CI passed.

Release Notes

Please follow release notes guidelines and fill in the release notes below.

== RELEASE NOTES ==

Hive Connector Changes
* Add changes to enable SSL/TLS encryption by accepting the following configuration properties:

    * ``hive.metastore.thrift.client.tls.enabled``
    * ``hive.metastore.thrift.client.tls.keystore-path``
    * ``hive.metastore.thrift.client.tls.keystore-password``
    * ``hive.metastore.thrift.client.tls.truststore-path``
    * ``hive.metastore.thrift.client.tls.truststore-password``

[linux-foundation-easycla]

The committers listed above are authorized under a signed CLA.

• ✅ login: bibith4 (693c872)

[steveburnett]

Please fix the formatting of the table in lines 216-245. A local doc build doesn't show the table. See screenshot.

Tag me to request a review after the table is restored and I'll be happy to review this again.

[steveburnett]

Nit of formatting in the Metastore Configuration Properties table.

[steveburnett]

Just one nit of formatting in the text, looks good other than that. Thanks for the quick turnaround!

[steveburnett]

LGTM! (docs)

Pull updated branch, new local doc build, looks good.

Thanks for the doc!

[agrawalreetika]

Since these are already metastore configs, I think we can shorten these variable and call it like in other SSL enabled class -

    private boolean tlsEnabled;
    private File keystorePath;
    private String keystorePassword;
    private File truststorePath;
    private String trustStorePassword;

[bibith4]

@agrawalreetika Changed as per the suggestion. Please check

[agrawalreetika]

We can call this method something like - buildSslContext

[bibith4]

@agrawalreetika Changed as per the suggestion. Please check

[agrawalreetika]

I think we can simply this here -

Suggested change

	if (!metastoreTlsEnabled || (!metastoreKeyStorePath.isPresent() && !metastoreTrustStorePath.isPresent())) {
	if (!metastoreTlsEnabled || (metastoreKeyStorePath.isEmpty() && metastoreTrustStorePath.isEmpty()) {

[bibith4]

@agrawalreetika Optional#isEmpty() is a Java 11 method. Not available in java 8

[agrawalreetika]

This could be more clear here based on the condition here -

Suggested change

	throw new RuntimeException("Unexpected default trust managers:" + Arrays.toString(trustManagers));
	throw new RuntimeException("Expected exactly one X509TrustManager, but found: " + Arrays.toString(trustManagers));
	;

[bibith4]

@agrawalreetika Changed as per the suggestion. Please check

[agrawalreetika]

Add one more assert for checking the expected SELECT * values from a table

[bibith4]

@agrawalreetika added assert for select * also

[agrawalreetika]

We could add some more combinations of test and provide different combination of sslConfigurations in queryRunner -

1. When just truststore is set
2. When just keystore is set
3. When both truststore + keystore is set

[bibith4]

@agrawalreetika added test cases with all the above mentioned connfigurations

[agrawalreetika]

LGTM, Thanks for adding the support

Please plan to squash your commits into one with relevant commit message.

[bibith4]

LGTM, Thanks for adding the support

Please plan to squash your commits into one with relevant commit message.

Done

[yingsu00]

The release notes shall show these property names. E.g. "Add a configuration property plan-checker.config-dir to set the configuration directory for PlanCheckerProvider configurations. #23955"

[bibith4]

@yingsu00 Updated release notes with newly added properties

[yingsu00]

Why are they all dot separated?

[agrawalreetika]

I think we can follow the similar config naming like other connectors with TLS configs -
https://prestodb.io/docs/current/connector/elasticsearch.html#tls-security

.keystore.path -> .keystore-path
.keystore.password -> .keystore-password
.truststore.path -> .truststore-path
.truststore.password -> .truststore-password

WDYT @yingsu00?

[bibith4]

@agrawalreetika @yingsu00 existing properties specified in below format
hive.metastore-thrift-client-tls-enabled
Can we follow the same ?

[yingsu00]

@agrawalreetika @yingsu00 existing properties specified in below format hive.metastore-thrift-client-tls-enabled Can we follow the same ?

Please see my comments inline.

[bibith4]

@yingsu00 Changed as per the suggestion

[yingsu00]

Line too long. Put each parameter on a separate line

[bibith4]

@yingsu00 Updated it by adding parameters in separate lines

[yingsu00]

Line too long. Put each parameter on a separate line

[bibith4]

@yingsu00 Updated it by adding parameters in separate lines

[yingsu00]

these config properties are specific to the thrift metastore, and they are all used by com/facebook/presto/hive/metastore/thrift/HiveMetastoreClientFactory.java. I think we should create a separate config class under com/facebook/presto/hive/metastore/thrift/. We can name it as ThriftHiveMetastoreConfig.java. All config properties in it shall start with hive.metastore.thrift.

[yingsu00]

I'd suggest we name these new config properties prefix in ThriftHiveMetastoreConfig.java hive.metastore.thrift.client.tls.xxx. e.g.
hive.metastore.thrift.client.tls.enabled
hive.metastore.thrift.client.tls.keystore-path
"hive.metastore.thrift.client.tls.keystore-password...

[bibith4]

@yingsu00 created a separate class 'ThriftHiveMetastoreConfig' and moved all the ssl related properties to that

[yingsu00]

This comment is for line 64-74
Move it to the new com/facebook/presto/hive/metastore/thrift/ThriftHiveMetastoreConfig.java

[bibith4]

@yingsu00 when checked i could see that moving this field require changes in many files. Can we do that as a seperate follow-up PR?
cc : @agrawalreetika @imjalpreet

[yingsu00]

This comment is for line 302 to 314
Move "hive.metastore.thrift.delete-files-on-table-drop" to the new com/facebook/presto/hive/metastore/thrift/ThriftHiveMetastoreConfig.java

I'm not sure if this is only for the thrift client? If it is then it's better to rename it to "hive.metastore.thrift.client.delete-files-on-table-drop" and deprecate "hive.metastore.thrift.delete-files-on-table-drop". I think it is not. @imjalpreet Could you please confirm?

[imjalpreet]

Yes, we can move this to the ThriftHiveMetastoreConfig. The config is only valid when Thrift Hive Metastore is used as the metastore in Hive connector due to a limitation observed a few years back: #17369

[bibith4]

@yingsu00 when checked i could see that moving this field require changes in many files. Can we do that as a seperate follow-up PR?
cc : @agrawalreetika @imjalpreet

[ethanyzhang]

@bibith4 can you fix the CLA check? also the failing test

[bibith4]

@bibith4 can you fix the CLA check? also the failing test

@ethanyzhang Corrected. Please check

[steveburnett]

Thanks for the release note entry! Some suggestions for formatting and to follow the Order of changes in the Release Notes Guidelines:

== RELEASE NOTES ==

General Changes
* Add changes to accept SSL/TLS properties to enable encryption.
* Add configuration properties for SSL/TLS:

    * ``hive.metastore.thrift.client.tls.enabled``
    * ``hive.metastore.thrift.client.tls.keystore-path``
    * ``hive.metastore.thrift.client.tls.keystore-password``
    * ``hive.metastore.thrift.client.tls.truststore-path``
    * ``hive.metastore.thrift.client.tls.truststore-password``
      
Hive Connector Changes
* Improve hive-site.xml to allow configuration of SSL/TLS properties.

[steveburnett]

LGTM! (docs)

Pull branch, local doc build. Thanks!

[yingsu00]

The release note should only have Hive Connector changes. Could you please move them? Also cc @steveburnett for a second round of the release note section review

[bibith4]

The release note should only have Hive Connector changes. Could you please move them? Also cc @steveburnett for a second round of the release note section review

@yingsu00 changed release note as per suggestion. @steveburnett Can you please verify

[agrawalreetika]

Code changes, LGTM

[steveburnett]

The release note should only have Hive Connector changes. Could you please move them? Also cc @steveburnett for a second round of the release note section review

@yingsu00 changed release note as per suggestion. @steveburnett Can you please verify

Yes, verified. Thank you!

[yingsu00]

@bibith4 Could you please squash the 3 bullet points of the release notes into one? The second bullet point can be removed.

[bibith4]

@bibith4 Could you please squash the 3 bullet points of the release notes into one? The second bullet point can be removed.

@yingsu00 Changed release note as per the suggestion. Can you please check