HIVE-28838: Remove sensitive jdbc properties from JdbcStorageHandler tables

Author: InvisibleProgrammer

jdbc-handler/src/main/java/org/apache/hive/storage/jdbc/conf/JdbcStorageConfigManager.java

@@ -45,6 +45,8 @@ public class JdbcStorageConfigManager {
   public static final String CONFIG_PWD_KEYSTORE = Constants.JDBC_KEYSTORE;
   public static final String CONFIG_PWD_KEY = Constants.JDBC_KEY;
   public static final String CONFIG_PWD_URI = Constants.JDBC_PASSWORD_URI;
+  public static final String CONFIG_JDBC_USERNAME = Constants.JDBC_USERNAME;
+
   private static final EnumSet<JdbcStorageConfig> DEFAULT_REQUIRED_PROPERTIES =
     EnumSet.of(JdbcStorageConfig.DATABASE_TYPE,
                JdbcStorageConfig.JDBC_URL,
@@ -66,7 +68,9 @@ public static void copyConfigurationToJob(Properties props, Map<String, String>
       if (!key.equals(CONFIG_PWD) &&
           !key.equals(CONFIG_PWD_KEYSTORE) &&
           !key.equals(CONFIG_PWD_KEY) &&
-          !key.equals(CONFIG_PWD_URI)) {
+          !key.equals(CONFIG_PWD_URI) &&
+          !key.equals(CONFIG_JDBC_USERNAME)
+      ) {
         jobProps.put(String.valueOf(entry.getKey()), String.valueOf(entry.getValue()));
       }
     }

ql/src/java/org/apache/hadoop/hive/ql/plan/PlanUtils.java

@@ -19,6 +19,8 @@
 package org.apache.hadoop.hive.ql.plan;
 
 import static org.apache.commons.lang3.StringUtils.isNotBlank;
+import static org.apache.hadoop.hive.conf.Constants.JDBC_PASSWORD;
+import static org.apache.hadoop.hive.conf.Constants.JDBC_USERNAME;
 import static org.apache.hadoop.hive.metastore.api.hive_metastoreConstants.META_TABLE_LOCATION;
 import static org.apache.hadoop.hive.metastore.api.hive_metastoreConstants.TABLE_IS_CTAS;
 import static org.apache.hive.common.util.HiveStringUtils.quoteComments;
@@ -1230,7 +1232,11 @@ public static Class<? extends AbstractSerDe> getDefaultSerDe() {
     return LazySimpleSerDe.class;
   }
 
-  private static final String[] FILTER_OUT_FROM_EXPLAIN = {TABLE_IS_CTAS};
+  private static final String[] FILTER_OUT_FROM_EXPLAIN = {
+          TABLE_IS_CTAS,
+          JDBC_USERNAME,
+          JDBC_PASSWORD
+  };
 
   /**
    * Get a Map of table or partition properties to be used in explain extended output.

ql/src/test/queries/clientpositive/explain_jdbc.q

@@ -0,0 +1,64 @@
+CREATE TABLE explain_jdbc_hive_table (id INT, bigId BIGINT);
+
+CREATE TEMPORARY FUNCTION dboutput AS 'org.apache.hadoop.hive.contrib.genericudf.example.GenericUDFDBOutput';
+
+
+FROM (select 1 as hello) src
+
+SELECT
+
+dboutput ( 'jdbc:derby:;databaseName=${system:test.tmp.dir}/test_derby_as_external_table_explain_jdbc_db;create=true','','',
+'CREATE TABLE DERBY_TABLE ("id" INTEGER, "bigId" BIGINT)' ),
+
+dboutput('jdbc:derby:;databaseName=${system:test.tmp.dir}/test_derby_as_external_table_explain_jdbc_db;create=true','','',
+'INSERT INTO DERBY_TABLE ("id","bigId") VALUES (?,?)','20','20')
+limit 1;
+
+CREATE EXTERNAL TABLE ext_DERBY_TABLE
+(
+ id int,
+ bigId bigint
+)
+STORED BY 'org.apache.hive.storage.jdbc.JdbcStorageHandler'
+TBLPROPERTIES (
+                "hive.sql.database.type" = "DERBY",
+                "hive.sql.jdbc.driver" = "org.apache.derby.jdbc.EmbeddedDriver",
+                "hive.sql.jdbc.url" = "jdbc:derby:;databaseName=${system:test.tmp.dir}/test_derby_as_external_table_explain_jdbc_db;create=true;collation=TERRITORY_BASED:PRIMARY",
+                "hive.sql.dbcp.username" = "APP",
+                "hive.sql.dbcp.password" = "mine",
+                "hive.sql.table" = "DERBY_TABLE",
+                "hive.sql.dbcp.maxActive" = "1"
+);
+
+
+SET hive.fetch.task.conversion=none;
+
+select 1 from ext_DERBY_TABLE;
+
+explain extended select 1 from ext_DERBY_TABLE;
+
+
+create table if not exists ctas_dbs as select * from ext_DERBY_TABLE;
+
+select 1
+from ctas_dbs
+limit 1;
+
+explain extended
+select 1
+from ctas_dbs
+limit 1;
+
+create table if not exists ctlt_dbs like ext_DERBY_TABLE;
+
+insert into ctlt_dbs
+select * from ext_DERBY_TABLE;
+
+select 1
+from ctlt_dbs
+limit 1;
+
+explain extended
+select 1
+from ctlt_dbs
+limit 1;

ql/src/test/queries/clientpositive/explain_systest_password.q

@@ -0,0 +1,47 @@
+--! qt:sysdb
+
+SET hive.fetch.task.conversion=none;
+
+select 1
+from sys.TBLS t
+    join sys.DBS d on t.DB_ID = d.DB_ID
+limit 1;
+
+explain extended
+select 1
+from sys.TBLS t
+    join sys.DBS d on t.DB_ID = d.DB_ID
+limit 1;
+
+show create table sys.DBS;
+
+describe formatted sys.DBS;
+
+create table if not exists ctas_dbs as select * from sys.DBS;
+
+select 1
+from sys.TBLS t
+    join ctas_dbs d on t.DB_ID = d.DB_ID
+limit 1;
+
+explain extended
+select 1
+from sys.TBLS t
+    join ctas_dbs d on t.DB_ID = d.DB_ID
+limit 1;
+
+create table if not exists ctlt_dbs like sys.DBS;
+
+insert into ctlt_dbs
+select * from sys.DBS;
+
+select 1
+from sys.TBLS t
+    join ctlt_dbs d on t.DB_ID = d.DB_ID
+limit 1;
+
+explain extended
+select 1
+from sys.TBLS t
+    join ctlt_dbs d on t.DB_ID = d.DB_ID
+limit 1;