From 0f660fc8004f94048f6743d285bfc9a11905c0bd Mon Sep 17 00:00:00 2001 From: "C.J. Collier" Date: Wed, 2 Apr 2025 19:13:41 -0700 Subject: [PATCH 1/5] [cloud-sql-proxy] Remove env var assignment of mysql passwords Add secret manager as a database password specification source --- cloud-sql-proxy/cloud-sql-proxy.sh | 145 ++++++++++++++++++----------- 1 file changed, 92 insertions(+), 53 deletions(-) diff --git a/cloud-sql-proxy/cloud-sql-proxy.sh b/cloud-sql-proxy/cloud-sql-proxy.sh index 7d385d586..c6bf63955 100755 --- a/cloud-sql-proxy/cloud-sql-proxy.sh +++ b/cloud-sql-proxy/cloud-sql-proxy.sh @@ -25,10 +25,10 @@ function os_id() ( set +x ; grep '^ID=' /etc/os-release | cut -d= -f2 | x function os_version() ( set +x ; grep '^VERSION_ID=' /etc/os-release | cut -d= -f2 | xargs ; ) function os_codename() ( set +x ; grep '^VERSION_CODENAME=' /etc/os-release | cut -d= -f2 | xargs ; ) -function version_ge() ( set +x ; [ "$1" = "$(echo -e "$1\n$2" | sort -V | tail -n1)" ] ; ) -function version_gt() ( set +x ; [ "$1" = "$2" ] && return 1 || version_ge $1 $2 ; ) -function version_le() ( set +x ; [ "$1" = "$(echo -e "$1\n$2" | sort -V | head -n1)" ] ; ) -function version_lt() ( set +x ; [ "$1" = "$2" ] && return 1 || version_le $1 $2 ; ) +function version_ge(){ [[ "$1" = "$(echo -e "$1\n$2"|sort -V|tail -n1)" ]]; } +function version_gt(){ [[ "$1" = "$2" ]]&& return 1 || version_ge "$1" "$2";} +function version_le(){ [[ "$1" = "$(echo -e "$1\n$2"|sort -V|head -n1)" ]]; } +function version_lt(){ [[ "$1" = "$2" ]]&& return 1 || version_le "$1" "$2";} readonly -A supported_os=( ['debian']="10 11 12" @@ -209,13 +209,19 @@ fi readonly CLOUDSQL_INSTANCE_TYPE METASTORE_PROXY_PORT="$(/usr/share/google/get_metadata_value attributes/metastore-proxy-port || echo '')" -if [[ "${METASTORE_INSTANCE}" =~ =tcp:[0-9]+$ ]]; then - METASTORE_PROXY_PORT="${METASTORE_INSTANCE##*:}" -else - METASTORE_PROXY_PORT=${DEFAULT_DB_PORT["${CLOUDSQL_INSTANCE_TYPE}"]} +if [[ -z "${METASTORE_PROXY_PORT}" ]] ; then + if [[ "${METASTORE_INSTANCE}" =~ =tcp:[0-9]+$ ]]; then + METASTORE_PROXY_PORT="${METASTORE_INSTANCE##*:}" + else + METASTORE_PROXY_PORT=${DEFAULT_DB_PORT["${CLOUDSQL_INSTANCE_TYPE}"]} + fi fi readonly METASTORE_PROXY_PORT +# Allow users to specify hive password using secret manager +DB_HIVE_SECRET="$(/usr/share/google/get_metadata_value attributes/db-hive-secret || echo '')" +DB_ADMIN_SECRET="$(/usr/share/google/get_metadata_value attributes/db-admin-secret || echo '')" + # Database user to use to access metastore. DB_HIVE_USER="$(/usr/share/google/get_metadata_value attributes/db-hive-user || echo 'hive')" readonly DB_HIVE_USER @@ -233,39 +239,46 @@ readonly KMS_KEY_URI DB_ADMIN_PASSWORD_URI="$(/usr/share/google/get_metadata_value attributes/db-admin-password-uri || echo '')" readonly DB_ADMIN_PASSWORD_URI -DB_ADMIN_PASSWORD='' -if [[ -n "${DB_ADMIN_PASSWORD_URI}" ]]; then +if [[ -n "${DB_ADMIN_SECRET}" ]] ; then + gcloud secrets versions access "${DB_ADMIN_SECRET#*:}" \ + --project="${METASTORE_INSTANCE%%:*}" \ + --secret="${DB_ADMIN_SECRET%:*}" > /dev/shm/db-pw +elif [[ -n "${DB_ADMIN_PASSWORD_URI}" ]]; then # Decrypt password - DB_ADMIN_PASSWORD="$(gsutil cat "${DB_ADMIN_PASSWORD_URI}" | + gsutil cat "${DB_ADMIN_PASSWORD_URI}" | gcloud kms decrypt \ --ciphertext-file - \ - --plaintext-file - \ - --key "${KMS_KEY_URI}")" + --plaintext-file /dev/shm/db-pw \ + --key "${KMS_KEY_URI}" +else + touch /dev/shm/db-pw fi -if [[ "${CLOUDSQL_INSTANCE_TYPE}" == "POSTGRES" && -z "${DB_ADMIN_PASSWORD}" ]]; then +if [[ "${CLOUDSQL_INSTANCE_TYPE}" == "POSTGRES" ]] && [[ "$(perl -pe 'chomp' < /dev/shm/db-pw | wc -c)" != "0" ]]; then log 'POSTGRES DB admin password is not set' fi -readonly DB_ADMIN_PASSWORD # Database password used to access metastore. DB_HIVE_PASSWORD_URI="$(/usr/share/google/get_metadata_value attributes/db-hive-password-uri || echo '')" readonly DB_HIVE_PASSWORD_URI -if [[ -n "${DB_HIVE_PASSWORD_URI}" ]]; then +if [[ -n "${DB_HIVE_SECRET}" ]] ; then + gcloud secrets versions access "${DB_HIVE_SECRET#*:}" \ + --project="${METASTORE_INSTANCE%%:*}" \ + --secret="${DB_HIVE_SECRET%:*}" > /dev/shm/hive-pw +elif [[ -n "${DB_HIVE_PASSWORD_URI}" ]]; then # Decrypt password - DB_HIVE_PASSWORD="$(gsutil cat "${DB_HIVE_PASSWORD_URI}" | + gsutil cat "${DB_HIVE_PASSWORD_URI}" | gcloud kms decrypt \ --ciphertext-file - \ - --plaintext-file - \ - --key "${KMS_KEY_URI}")" - readonly DB_HIVE_PASSWORD + --plaintext-file /dev/shm/hive-pw \ + --key "${KMS_KEY_URI}" else - db_hive_pwd=$(bdconfig get_property_value \ + /usr/local/bin/bdconfig get_property_value \ --configuration_file "/etc/hive/conf/hive-site.xml" \ - --name "javax.jdo.option.ConnectionPassword" 2>/dev/null) - if [[ "${db_hive_pwd}" == "None" ]]; then - db_hive_pwd="hive-password" - fi - readonly DB_HIVE_PASSWORD=${db_hive_pwd} + --name "javax.jdo.option.ConnectionPassword" 2>/dev/null > /dev/shm/hive-pw +fi + +if perl -e '$l=; chomp $l; exit( $l eq "None" ? 0 : 1 )' < /dev/shm/hive-pw; then + echo "hive-password" > /dev/shm/hive-pw fi # Name of MySQL database to use for the metastore. @@ -394,13 +407,6 @@ function install_cloud_sql_proxy() { local proxy_flags proxy_flags="$(get_proxy_flags)" - # Validate db_hive_password and escape invalid xml characters if found. - local db_hive_password_xml_escaped - db_hive_password_xml_escaped=${DB_HIVE_PASSWORD//&/&} - db_hive_password_xml_escaped=${db_hive_password_xml_escaped///>} - db_hive_password_xml_escaped=${db_hive_password_xml_escaped//'"'/"} - # Install proxy as systemd service for reboot tolerance. cat <${INIT_SCRIPT} [Unit] @@ -443,12 +449,12 @@ EOF javax.jdo.option.ConnectionPassword - ${db_hive_password_xml_escaped} + $(perl -pe 'chomp ; s:<:<:g; s:>:>:g ; s:":":g' < /dev/shm/hive-pw) EOF - bdconfig merge_configurations \ + /usr/local/bin/bdconfig merge_configurations \ --configuration_file /etc/hive/conf/hive-site.xml \ --source_configuration_file hive-template.xml \ --clobber @@ -457,33 +463,66 @@ EOF log 'Cloud SQL Proxy installation succeeded' } +function admin_mysql() { + local admin_defaults_file="/dev/shm/admin-db.cnf" + local db_password_param="--defaults-file=${admin_defaults_file}" + mysql "${db_password_param}" $* +} + +function hive_mysql() { + local hive_defaults_file="/dev/shm/hive-db.cnf" + local db_hive_password_param="--defaults-file=${hive_defaults_file}" + mysql "${db_hive_password_param}" $* +} + function initialize_mysql_metastore_db() { - log 'Initialzing MYSQL DB for Hive metastore ...' - local db_password_param='--password=' - if [[ -n ${DB_ADMIN_PASSWORD} ]]; then - db_password_param+=${DB_ADMIN_PASSWORD} - fi - local db_hive_password_param='' - if [[ -n ${DB_HIVE_PASSWORD} ]]; then - db_hive_password_param+="-p${DB_HIVE_PASSWORD}" - fi + log 'Initialzing MySQL DB for Hive metastore ...' + local admin_defaults_file="/dev/shm/admin-db.cnf" + local hive_defaults_file="/dev/shm/hive-db.cnf" + local db_password_param="--defaults-file=${admin_defaults_file}" + local db_hive_password_param="--defaults-file=${hive_defaults_file}" + + ( + printf "[client]\nhost=127.0.0.1\nport=${METASTORE_PROXY_PORT}\nuser=${DB_ADMIN_USER}\npassword=\"" + perl -pe 'chomp' < /dev/shm/db-pw + echo '"' + ) > "${admin_defaults_file}" + ( + printf "[client]\nhost=127.0.0.1\nport=${METASTORE_PROXY_PORT}\nuser=${DB_HIVE_USER}\npassword=\"" + perl -pe 'chomp' < /dev/shm/hive-pw + echo '"' + ) > "${hive_defaults_file}" + ( + echo -n "CREATE USER IF NOT EXISTS '${DB_HIVE_USER}'@'cloudsqlproxy~%' IDENTIFIED BY '" + perl -pe 'chomp' < /dev/shm/hive-pw + echo -n "';" + ) > /dev/shm/create_hive_user.sql + + # create hive user if it does not exist + hive_mysql -e '' || \ + admin_mysql < /dev/shm/create_hive_user.sql # Check if metastore is initialized. - if ! mysql -h 127.0.0.1 -P "${METASTORE_PROXY_PORT}" -u "${DB_HIVE_USER}" "${db_hive_password_param}" -e ''; then - mysql -h 127.0.0.1 -P "${METASTORE_PROXY_PORT}" -u "${DB_ADMIN_USER}" "${db_password_param}" -e \ - "CREATE USER '${DB_HIVE_USER}' IDENTIFIED BY '${DB_HIVE_PASSWORD}';" - fi - if ! mysql -h 127.0.0.1 -P "${METASTORE_PROXY_PORT}" -u "${DB_HIVE_USER}" "${db_hive_password_param}" -e "use ${METASTORE_DB}"; then + if ! hive_mysql -e "use ${METASTORE_DB}"; then # Initialize a Hive metastore DB - mysql -h 127.0.0.1 -P "${METASTORE_PROXY_PORT}" -u "${DB_ADMIN_USER}" "${db_password_param}" -e \ - "CREATE DATABASE ${METASTORE_DB}; - GRANT ALL PRIVILEGES ON ${METASTORE_DB}.* TO '${DB_HIVE_USER}';" - /usr/lib/hive/bin/schematool -dbType mysql -initSchema || + admin_mysql -e \ + "CREATE DATABASE IF NOT EXISTS ${METASTORE_DB}; + GRANT ALL PRIVILEGES ON ${METASTORE_DB}.* TO '${DB_HIVE_USER}'@'cloudsqlproxy~%';" + /usr/lib/hive/bin/schematool -dbType mysql -initSchema || { + rm -f /dev/shm/*-db.cnf /dev/shm/*.sql err 'Failed to set mysql schema.' + } fi log 'MYSQL DB initialized for Hive metastore' + rm -f /dev/shm/*-db.cnf /dev/shm/*.sql +} + +function exit_handler() { + rm -f /dev/shm/*-pw /dev/shm/*-db.cnf /dev/shm/*.sql } +trap exit_handler EXIT + function initialize_postgres_metastore_db() { log 'Initialzing POSTGRES DB for Hive metastore ...' local admin_connection=postgresql://"${DB_ADMIN_USER}":"${DB_ADMIN_PASSWORD}"@127.0.0.1:"${METASTORE_PROXY_PORT}"/ From 91d4f7d683be23bbacfb86f11791d12976de6af0 Mon Sep 17 00:00:00 2001 From: "C.J. Collier" Date: Fri, 4 Apr 2025 14:54:07 -0700 Subject: [PATCH 2/5] sanitize postgres password code --- cloud-sql-proxy/cloud-sql-proxy.sh | 50 +++++++++++++++++++++++------- 1 file changed, 38 insertions(+), 12 deletions(-) diff --git a/cloud-sql-proxy/cloud-sql-proxy.sh b/cloud-sql-proxy/cloud-sql-proxy.sh index c6bf63955..ab6c2a41a 100755 --- a/cloud-sql-proxy/cloud-sql-proxy.sh +++ b/cloud-sql-proxy/cloud-sql-proxy.sh @@ -518,32 +518,58 @@ function initialize_mysql_metastore_db() { } function exit_handler() { - rm -f /dev/shm/*-pw /dev/shm/*-db.cnf /dev/shm/*.sql + rm -f /dev/shm/*-pw /dev/shm/*-db.cnf /dev/shm/*_passfile /dev/shm/*.sql } trap exit_handler EXIT +function admin_psql() { + PGPASSFILE="/dev/shm/admin_passfile" psql $* +} + +function hive_psql() { + PGPASSFILE="/dev/shm/hive_passfile" psql $* +} + function initialize_postgres_metastore_db() { - log 'Initialzing POSTGRES DB for Hive metastore ...' - local admin_connection=postgresql://"${DB_ADMIN_USER}":"${DB_ADMIN_PASSWORD}"@127.0.0.1:"${METASTORE_PROXY_PORT}"/ - local hive_connection=postgresql://"${DB_HIVE_USER}":"${DB_HIVE_PASSWORD}"@127.0.0.1:"${METASTORE_PROXY_PORT}"/postgres + log 'Initialzing PostgreSQL DB for Hive metastore ...' + local admin_pgpass=/dev/shm/admin_passfile + local hive_pgpass=/dev/shm/hive_passfile + ( + echo -n "postgresql://${DB_ADMIN_USER}:" + perl -pe 'chomp' < /dev/shm/db-pw + echo -n "@127.0.0.1:${METASTORE_PROXY_PORT}/" + ) > "${admin_pgpass}" + ( + echo -n "postgresql://${DB_HIVE_USER}:" + perl -pe 'chomp' < /dev/shm/hive-pw + echo -n "@127.0.0.1:${METASTORE_PROXY_PORT}/postgres" + ) > "${hive_pgpass}" + ( + echo -n "CREATE USER ${DB_HIVE_USER} WITH PASSWORD '" + perl -pe 'chomp' < /dev/shm/hive-pw + echo -n "';" + ) > /dev/shm/create_hive_user.sql # Check if metastore is initialized. - if ! psql "${hive_connection}" -c ''; then + if ! hive_psql -c ''; then log 'Create DB Hive user...' - psql "${admin_connection}" -c "CREATE USER ${DB_HIVE_USER} WITH PASSWORD '${DB_HIVE_PASSWORD}';" + admin_psql < /dev/shm/create_hive_user.sql fi - if ! psql "${hive_connection}" -c '\c "${METASTORE_DB}" ' ; then + if ! hive_psql -c '\c "${METASTORE_DB}" ' ; then log 'Create Hive Metastore database...' - psql "${admin_connection}" -c "CREATE DATABASE ${METASTORE_DB};" - psql "${hive_connection}" -c '\c "${METASTORE_DB}" ' - psql "${admin_connection}" -c "GRANT ALL PRIVILEGES ON DATABASE ${METASTORE_DB} TO ${DB_HIVE_USER} ;" + admin_psql -c "CREATE DATABASE ${METASTORE_DB};" + hive_psql -c '\c "${METASTORE_DB}" ' + admin_psql -c "GRANT ALL PRIVILEGES ON DATABASE ${METASTORE_DB} TO ${DB_HIVE_USER} ;" log 'Create Hive Metastore schema...' - /usr/lib/hive/bin/schematool -dbType postgres -initSchema || + /usr/lib/hive/bin/schematool -dbType postgres -initSchema || { err 'Failed to set postgres schema.' + rm -f /dev/shm/*_passfile /dev/shm/*.sql + } fi - log 'POSTGRES DB initialized for Hive metastore' + log 'PostgreSQL DB initialized for Hive metastore' + rm -f /dev/shm/*_passfile /dev/shm/*.sql } function initialize_metastore_db() { From 25616d3b2962cdd6d06eacb0488339aaafac4c0c Mon Sep 17 00:00:00 2001 From: "C.J. Collier" Date: Fri, 4 Apr 2025 17:00:18 -0700 Subject: [PATCH 3/5] wrap args in double quotes ; remove set +x nonsense --- cloud-sql-proxy/cloud-sql-proxy.sh | 34 ++++++++++++++---------------- 1 file changed, 16 insertions(+), 18 deletions(-) diff --git a/cloud-sql-proxy/cloud-sql-proxy.sh b/cloud-sql-proxy/cloud-sql-proxy.sh index ab6c2a41a..85e0d3e0e 100755 --- a/cloud-sql-proxy/cloud-sql-proxy.sh +++ b/cloud-sql-proxy/cloud-sql-proxy.sh @@ -21,9 +21,9 @@ # Do not use "set -x" to avoid printing passwords in clear in the logs set -euo pipefail -function os_id() ( set +x ; grep '^ID=' /etc/os-release | cut -d= -f2 | xargs ; ) -function os_version() ( set +x ; grep '^VERSION_ID=' /etc/os-release | cut -d= -f2 | xargs ; ) -function os_codename() ( set +x ; grep '^VERSION_CODENAME=' /etc/os-release | cut -d= -f2 | xargs ; ) +function os_id() { grep '^ID=' /etc/os-release | cut -d= -f2 | xargs ; } +function os_version() { grep '^VERSION_ID=' /etc/os-release | cut -d= -f2 | xargs ; } +function os_codename(){ grep '^VERSION_CODENAME=' /etc/os-release | cut -d= -f2 | xargs ; } function version_ge(){ [[ "$1" = "$(echo -e "$1\n$2"|sort -V|tail -n1)" ]]; } function version_gt(){ [[ "$1" = "$2" ]]&& return 1 || version_ge "$1" "$2";} @@ -41,16 +41,16 @@ if [[ "$(os_id)" == "rocky" ]]; then _os_version=$(os_version | sed -e 's/[^0-9].*$//g') else _os_version="$(os_version)"; fi for os_id_val in 'rocky' 'ubuntu' 'debian' ; do - eval "function is_${os_id_val}() ( set +x ; [[ \"$(os_id)\" == '${os_id_val}' ]] ; )" + eval "function is_${os_id_val}() { [[ \"$(os_id)\" == '${os_id_val}' ]] ; }" for osver in $(echo "${supported_os["${os_id_val}"]}") ; do - eval "function is_${os_id_val}${osver%%.*}() ( set +x ; is_${os_id_val} && [[ \"${_os_version}\" == \"${osver}\" ]] ; )" - eval "function ge_${os_id_val}${osver%%.*}() ( set +x ; is_${os_id_val} && version_ge \"${_os_version}\" \"${osver}\" ; )" - eval "function le_${os_id_val}${osver%%.*}() ( set +x ; is_${os_id_val} && version_le \"${_os_version}\" \"${osver}\" ; )" + eval "function is_${os_id_val}${osver%%.*}() { is_${os_id_val} && [[ \"${_os_version}\" == \"${osver}\" ]] ; }" + eval "function ge_${os_id_val}${osver%%.*}() { is_${os_id_val} && version_ge \"${_os_version}\" \"${osver}\" ; }" + eval "function le_${os_id_val}${osver%%.*}() { is_${os_id_val} && version_le \"${_os_version}\" \"${osver}\" ; }" done done -function is_debuntu() ( set +x ; is_debian || is_ubuntu ; ) +function is_debuntu() { is_debian || is_ubuntu ; } function print_metadata_value() { local readonly tmpfile=$(mktemp) @@ -73,8 +73,7 @@ function print_metadata_value_if_exists() { return ${return_code} } -function get_metadata_value() ( - set +x +function get_metadata_value() { local readonly varname=$1 local -r MDS_PREFIX=http://metadata.google.internal/computeMetadata/v1 # Print the instance metadata value. @@ -87,14 +86,13 @@ function get_metadata_value() ( fi return ${return_code} -) +} -function get_metadata_attribute() ( - set +x +function get_metadata_attribute() { local -r attribute_name="$1" local -r default_value="${2:-}" get_metadata_value "attributes/${attribute_name}" || echo -n "${default_value}" -) +} # Detect dataproc image version from its various names if (! test -v DATAPROC_IMAGE_VERSION) && test -v DATAPROC_VERSION; then @@ -466,13 +464,13 @@ EOF function admin_mysql() { local admin_defaults_file="/dev/shm/admin-db.cnf" local db_password_param="--defaults-file=${admin_defaults_file}" - mysql "${db_password_param}" $* + mysql "${db_password_param}" "$*" } function hive_mysql() { local hive_defaults_file="/dev/shm/hive-db.cnf" local db_hive_password_param="--defaults-file=${hive_defaults_file}" - mysql "${db_hive_password_param}" $* + mysql "${db_hive_password_param}" "$*" } function initialize_mysql_metastore_db() { @@ -524,11 +522,11 @@ function exit_handler() { trap exit_handler EXIT function admin_psql() { - PGPASSFILE="/dev/shm/admin_passfile" psql $* + PGPASSFILE="/dev/shm/admin_passfile" psql "$*" } function hive_psql() { - PGPASSFILE="/dev/shm/hive_passfile" psql $* + PGPASSFILE="/dev/shm/hive_passfile" psql "$*" } function initialize_postgres_metastore_db() { From 938c15c021c56702a651961b4e6ea530d7e9f7f3 Mon Sep 17 00:00:00 2001 From: "C.J. Collier" Date: Fri, 4 Apr 2025 17:04:28 -0700 Subject: [PATCH 4/5] no need for such a large instance for this test --- cloud-sql-proxy/test_cloud_sql_proxy.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cloud-sql-proxy/test_cloud_sql_proxy.py b/cloud-sql-proxy/test_cloud_sql_proxy.py index b7c79994a..65797216b 100644 --- a/cloud-sql-proxy/test_cloud_sql_proxy.py +++ b/cloud-sql-proxy/test_cloud_sql_proxy.py @@ -67,7 +67,7 @@ def test_cloud_sql_proxy(self, configuration): self.createCluster( configuration, self.INIT_ACTIONS, - machine_type="n1-standard-8", + machine_type="n1-standard-2", metadata=metadata, scopes='sql-admin') From 504ed5859fbb4199955d36c54e78d699dbe2d3e1 Mon Sep 17 00:00:00 2001 From: "C.J. Collier" Date: Mon, 7 Apr 2025 10:59:32 -0700 Subject: [PATCH 5/5] using argument to specify output file instead of redirect ; clean up chomp code --- cloud-sql-proxy/cloud-sql-proxy.sh | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) diff --git a/cloud-sql-proxy/cloud-sql-proxy.sh b/cloud-sql-proxy/cloud-sql-proxy.sh index 85e0d3e0e..af34ac25b 100755 --- a/cloud-sql-proxy/cloud-sql-proxy.sh +++ b/cloud-sql-proxy/cloud-sql-proxy.sh @@ -240,7 +240,8 @@ readonly DB_ADMIN_PASSWORD_URI if [[ -n "${DB_ADMIN_SECRET}" ]] ; then gcloud secrets versions access "${DB_ADMIN_SECRET#*:}" \ --project="${METASTORE_INSTANCE%%:*}" \ - --secret="${DB_ADMIN_SECRET%:*}" > /dev/shm/db-pw + --secret="${DB_ADMIN_SECRET%:*}" \ + --out-file=/dev/shm/db-pw elif [[ -n "${DB_ADMIN_PASSWORD_URI}" ]]; then # Decrypt password gsutil cat "${DB_ADMIN_PASSWORD_URI}" | @@ -251,7 +252,9 @@ elif [[ -n "${DB_ADMIN_PASSWORD_URI}" ]]; then else touch /dev/shm/db-pw fi -if [[ "${CLOUDSQL_INSTANCE_TYPE}" == "POSTGRES" ]] && [[ "$(perl -pe 'chomp' < /dev/shm/db-pw | wc -c)" != "0" ]]; then +if [[ "${CLOUDSQL_INSTANCE_TYPE}" == "POSTGRES" ]] && + [[ "$(perl -e 'chomp($l=); print length $l;' < /dev/shm/db-pw)" == "0" ]] +then log 'POSTGRES DB admin password is not set' fi @@ -261,7 +264,8 @@ readonly DB_HIVE_PASSWORD_URI if [[ -n "${DB_HIVE_SECRET}" ]] ; then gcloud secrets versions access "${DB_HIVE_SECRET#*:}" \ --project="${METASTORE_INSTANCE%%:*}" \ - --secret="${DB_HIVE_SECRET%:*}" > /dev/shm/hive-pw + --secret="${DB_HIVE_SECRET%:*}" \ + --out-file=/dev/shm/hive-pw elif [[ -n "${DB_HIVE_PASSWORD_URI}" ]]; then # Decrypt password gsutil cat "${DB_HIVE_PASSWORD_URI}" | @@ -275,7 +279,7 @@ else --name "javax.jdo.option.ConnectionPassword" 2>/dev/null > /dev/shm/hive-pw fi -if perl -e '$l=; chomp $l; exit( $l eq "None" ? 0 : 1 )' < /dev/shm/hive-pw; then +if perl -e 'chomp($l=); exit( $l eq "None" ? 0 : 1 )' < /dev/shm/hive-pw; then echo "hive-password" > /dev/shm/hive-pw fi