HIVE-28838: Remove sensitive jdbc properties from JdbcStorageHandler tables

InvisibleProgrammer · InvisibleProgrammer · commit 9009a3095797 · 2025-04-23T23:21:13.000+02:00
diff --git a/jdbc-handler/src/main/java/org/apache/hive/storage/jdbc/conf/JdbcStorageConfigManager.java b/jdbc-handler/src/main/java/org/apache/hive/storage/jdbc/conf/JdbcStorageConfigManager.java
@@ -45,6 +45,8 @@ public class JdbcStorageConfigManager {
   public static final String CONFIG_PWD_KEYSTORE = Constants.JDBC_KEYSTORE;
   public static final String CONFIG_PWD_KEY = Constants.JDBC_KEY;
   public static final String CONFIG_PWD_URI = Constants.JDBC_PASSWORD_URI;
+  public static final String CONFIG_JDBC_USERNAME = Constants.JDBC_USERNAME;
+
   private static final EnumSet<JdbcStorageConfig> DEFAULT_REQUIRED_PROPERTIES =
     EnumSet.of(JdbcStorageConfig.DATABASE_TYPE,
                JdbcStorageConfig.JDBC_URL,
@@ -66,7 +68,9 @@ public static void copyConfigurationToJob(Properties props, Map<String, String>
       if (!key.equals(CONFIG_PWD) &&
           !key.equals(CONFIG_PWD_KEYSTORE) &&
           !key.equals(CONFIG_PWD_KEY) &&
-          !key.equals(CONFIG_PWD_URI)) {
+          !key.equals(CONFIG_PWD_URI) &&
+          !key.equals(CONFIG_JDBC_USERNAME)
+      ) {
         jobProps.put(String.valueOf(entry.getKey()), String.valueOf(entry.getValue()));
       }
     }
diff --git a/ql/src/java/org/apache/hadoop/hive/ql/plan/PlanUtils.java b/ql/src/java/org/apache/hadoop/hive/ql/plan/PlanUtils.java
@@ -19,6 +19,8 @@
 package org.apache.hadoop.hive.ql.plan;
 
 import static org.apache.commons.lang3.StringUtils.isNotBlank;
+import static org.apache.hadoop.hive.conf.Constants.JDBC_PASSWORD;
+import static org.apache.hadoop.hive.conf.Constants.JDBC_USERNAME;
 import static org.apache.hadoop.hive.metastore.api.hive_metastoreConstants.META_TABLE_LOCATION;
 import static org.apache.hadoop.hive.metastore.api.hive_metastoreConstants.TABLE_IS_CTAS;
 import static org.apache.hive.common.util.HiveStringUtils.quoteComments;
@@ -1230,7 +1232,11 @@ public static Class<? extends AbstractSerDe> getDefaultSerDe() {
     return LazySimpleSerDe.class;
   }
 
-  private static final String[] FILTER_OUT_FROM_EXPLAIN = {TABLE_IS_CTAS};
+  private static final String[] FILTER_OUT_FROM_EXPLAIN = {
+          TABLE_IS_CTAS,
+          JDBC_USERNAME,
+          JDBC_PASSWORD
+  };
 
   /**
    * Get a Map of table or partition properties to be used in explain extended output.
diff --git a/ql/src/test/queries/clientpositive/explain_systest_password.q b/ql/src/test/queries/clientpositive/explain_systest_password.q
@@ -0,0 +1,45 @@
+--! qt:sysdb
+
+select 1
+from sys.TBLS t
+    join sys.DBS d on t.DB_ID = d.DB_ID
+limit 1;
+
+explain extended
+select 1
+from sys.TBLS t
+    join sys.DBS d on t.DB_ID = d.DB_ID
+limit 1;
+
+show create table sys.DBS;
+
+describe formatted sys.DBS;
+
+create table if not exists ctas_dbs as select * from sys.DBS;
+
+select 1
+from sys.TBLS t
+    join ctas_dbs d on t.DB_ID = d.DB_ID
+limit 1;
+
+explain extended
+select 1
+from sys.TBLS t
+    join ctas_dbs d on t.DB_ID = d.DB_ID
+limit 1;
+
+create table if not exists ctlt_dbs like sys.DBS;
+
+insert into ctlt_dbs
+select * from sys.DBS;
+
+select 1
+from sys.TBLS t
+    join ctlt_dbs d on t.DB_ID = d.DB_ID
+limit 1;
+
+explain extended
+select 1
+from sys.TBLS t
+    join ctlt_dbs d on t.DB_ID = d.DB_ID
+limit 1;
diff --git a/ql/src/test/results/clientpositive/llap/explain_systest_password.q.out b/ql/src/test/results/clientpositive/llap/explain_systest_password.q.out
