HIVE-28838: Remove sensitive jdbc properties from JdbcStorageHandler tables

InvisibleProgrammer · InvisibleProgrammer · commit b6998d636158 · 2025-04-23T19:07:03.000+02:00
diff --git a/jdbc-handler/src/main/java/org/apache/hive/storage/jdbc/conf/JdbcStorageConfigManager.java b/jdbc-handler/src/main/java/org/apache/hive/storage/jdbc/conf/JdbcStorageConfigManager.java
@@ -45,6 +45,9 @@ public class JdbcStorageConfigManager {
   public static final String CONFIG_PWD_KEYSTORE = Constants.JDBC_KEYSTORE;
   public static final String CONFIG_PWD_KEY = Constants.JDBC_KEY;
   public static final String CONFIG_PWD_URI = Constants.JDBC_PASSWORD_URI;
+  public static final String CONFIG_JDBC_URL = Constants.JDBC_URL;
+  public static final String CONFIG_JDBC_USERNAME = Constants.JDBC_USERNAME;
+
   private static final EnumSet<JdbcStorageConfig> DEFAULT_REQUIRED_PROPERTIES =
     EnumSet.of(JdbcStorageConfig.DATABASE_TYPE,
                JdbcStorageConfig.JDBC_URL,
@@ -66,7 +69,10 @@ public static void copyConfigurationToJob(Properties props, Map<String, String>
       if (!key.equals(CONFIG_PWD) &&
           !key.equals(CONFIG_PWD_KEYSTORE) &&
           !key.equals(CONFIG_PWD_KEY) &&
-          !key.equals(CONFIG_PWD_URI)) {
+          !key.equals(CONFIG_PWD_URI) &&
+          !key.equals(CONFIG_JDBC_USERNAME) &&
+          !key.equals(CONFIG_JDBC_URL)
+      ) {
         jobProps.put(String.valueOf(entry.getKey()), String.valueOf(entry.getValue()));
       }
     }
diff --git a/jdbc-handler/src/test/java/org/apache/hive/storage/jdbc/conf/TestJdbcStorageConfigManager.java b/jdbc-handler/src/test/java/org/apache/hive/storage/jdbc/conf/TestJdbcStorageConfigManager.java
@@ -25,6 +25,7 @@
 import static org.hamcrest.Matchers.equalTo;
 import static org.hamcrest.Matchers.is;
 import static org.hamcrest.Matchers.notNullValue;
+import static org.hamcrest.Matchers.nullValue;
 
 public class TestJdbcStorageConfigManager {
 
@@ -40,9 +41,9 @@ public void testWithAllRequiredSettingsDefined() throws Exception {
     JdbcStorageConfigManager.copyConfigurationToJob(props, jobMap);
 
     assertThat(jobMap, is(notNullValue()));
-    assertThat(jobMap.size(), is(equalTo(4)));
+    assertThat(jobMap.size(), is(equalTo(3)));
     assertThat(jobMap.get(JdbcStorageConfig.DATABASE_TYPE.getPropertyName()), is(equalTo("MYSQL")));
-    assertThat(jobMap.get(JdbcStorageConfig.JDBC_URL.getPropertyName()), is(equalTo("jdbc://localhost:3306/hive")));
+    assertThat(jobMap.get(JdbcStorageConfig.JDBC_URL.getPropertyName()), is(nullValue()));
     assertThat(jobMap.get(JdbcStorageConfig.QUERY.getPropertyName()),
         is(equalTo("SELECT col1,col2,col3 FROM sometable")));
   }
diff --git a/ql/src/java/org/apache/hadoop/hive/ql/plan/PlanUtils.java b/ql/src/java/org/apache/hadoop/hive/ql/plan/PlanUtils.java
@@ -19,6 +19,9 @@
 package org.apache.hadoop.hive.ql.plan;
 
 import static org.apache.commons.lang3.StringUtils.isNotBlank;
+import static org.apache.hadoop.hive.conf.Constants.JDBC_PASSWORD;
+import static org.apache.hadoop.hive.conf.Constants.JDBC_URL;
+import static org.apache.hadoop.hive.conf.Constants.JDBC_USERNAME;
 import static org.apache.hadoop.hive.metastore.api.hive_metastoreConstants.META_TABLE_LOCATION;
 import static org.apache.hadoop.hive.metastore.api.hive_metastoreConstants.TABLE_IS_CTAS;
 import static org.apache.hive.common.util.HiveStringUtils.quoteComments;
@@ -1230,7 +1233,12 @@ public static Class<? extends AbstractSerDe> getDefaultSerDe() {
     return LazySimpleSerDe.class;
   }
 
-  private static final String[] FILTER_OUT_FROM_EXPLAIN = {TABLE_IS_CTAS};
+  private static final String[] FILTER_OUT_FROM_EXPLAIN = {
+          TABLE_IS_CTAS,
+          JDBC_USERNAME,
+          JDBC_PASSWORD,
+          JDBC_URL
+  };
 
   /**
    * Get a Map of table or partition properties to be used in explain extended output.
diff --git a/ql/src/test/queries/clientpositive/explain_systest_password.q b/ql/src/test/queries/clientpositive/explain_systest_password.q
@@ -0,0 +1,45 @@
+--! qt:sysdb
+
+select 1
+from sys.TBLS t
+    join sys.DBS d on t.DB_ID = d.DB_ID
+limit 1;
+
+explain extended
+select 1
+from sys.TBLS t
+    join sys.DBS d on t.DB_ID = d.DB_ID
+limit 1;
+
+show create table sys.DBS;
+
+describe formatted sys.DBS;
+
+create table if not exists ctas_dbs as select * from sys.DBS;
+
+select 1
+from sys.TBLS t
+    join ctas_dbs d on t.DB_ID = d.DB_ID
+limit 1;
+
+explain extended
+select 1
+from sys.TBLS t
+    join ctas_dbs d on t.DB_ID = d.DB_ID
+limit 1;
+
+create table if not exists ctlt_dbs like sys.DBS;
+
+insert into ctlt_dbs
+select * from sys.DBS;
+
+select 1
+from sys.TBLS t
+    join ctlt_dbs d on t.DB_ID = d.DB_ID
+limit 1;
+
+explain extended
+select 1
+from sys.TBLS t
+    join ctlt_dbs d on t.DB_ID = d.DB_ID
+limit 1;
diff --git a/ql/src/test/results/clientpositive/llap/explain_systest_password.q.out b/ql/src/test/results/clientpositive/llap/explain_systest_password.q.out
