Integrate Google Secret Manager for Hive password with logging#1390
Integrate Google Secret Manager for Hive password with logging#1390dilipgodhia wants to merge 5 commits intomainfrom
Conversation
…Proxy (V1) with CloudSQL MySQL 8.4.
Co-authored-by: gemini-code-assist[bot] <176961590+gemini-code-assist[bot]@users.noreply.github.com>
Co-authored-by: gemini-code-assist[bot] <176961590+gemini-code-assist[bot]@users.noreply.github.com> Co-authored-by: cjac <cjac@google.com>
|
/gcbrun |
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
There was a problem hiding this comment.
Code Review
This pull request introduces Secret Manager integration for Hive metastore passwords and adds a metadata option to reuse existing Hive databases. The initialization script was updated to fetch secrets, remove plaintext credentials from configuration files, and utilize idempotent SQL commands. Feedback identifies a hardcoded username bug, suggests consistent host specifications, and raises a security concern regarding shell expansion of passwords in MySQL commands.
| "CREATE USER IF NOT EXISTS '${DB_HIVE_USER}' IDENTIFIED BY '${DB_HIVE_PASSWORD}'; | ||
| GRANT ALL PRIVILEGES ON ${METASTORE_DB}.* TO '${DB_HIVE_USER}'@'%'; | ||
| FLUSH PRIVILEGES;" |
There was a problem hiding this comment.
Using ${DB_HIVE_PASSWORD} directly inside a double-quoted string passed to mysql -e is risky. If the password contains special shell characters (like $, `, or \) or a single quote ('), the command will fail or potentially lead to command injection. Since this script runs in an environment where passwords can be complex, consider using a more robust way to pass the password to the MySQL client, such as environment variables or a temporary option file.
1 participant
Added a feature to allow the use of Google Secret Manager (GSM) for hive connectivity. In hive-site.xml, the property "javax.jdo.option.ConnectionPassword" will be removed since it will not be needed when GSM is used.