This is an automated email from the ASF dual-hosted git repository.
yiguolei pushed a commit to branch branch-4.0
in repository https://gitbox.apache.org/repos/asf/doris.git
The following commit(s) were added to refs/heads/branch-4.0 by this push:
new 3c419a9ae98 branch-4.0: [chore](paimon) Move shared Kerberos
authentication logic… (#61210)
3c419a9ae98 is described below
commit 3c419a9ae989c860a88e1da84a6d3a3b5a938b3a
Author: Calvin Kirs <[email protected]>
AuthorDate: Thu Mar 12 09:46:04 2026 +0800
branch-4.0: [chore](paimon) Move shared Kerberos authentication logic…
(#61210)
… for HMS into the Paimon TVF code path.
### What problem does this PR solve?
Issue Number: close #xxx
Related PR: #xxx
Problem Summary:
### Release note
None
### Check List (For Author)
- Test <!-- At least one of them must be included. -->
- [ ] Regression test
- [ ] Unit Test
- [ ] Manual test (add detailed scripts or steps below)
- [ ] No need to test or manual test. Explain why:
- [ ] This is a refactor/code format and no logic has been changed.
- [ ] Previous test can cover this change.
- [ ] No code files have been changed.
- [ ] Other reason <!-- Add your reason? -->
- Behavior changed:
- [ ] No.
- [ ] Yes. <!-- Explain the behavior change -->
- Does this need documentation?
- [ ] No.
- [ ] Yes. <!-- Add document PR link here. eg:
https://github.com/apache/doris-website/pull/1214 -->
### Check List (For Reviewer who merge this PR)
- [ ] Confirm the release note
- [ ] Confirm test cases
- [ ] Confirm document
- [ ] Add branch pick label <!-- Add branch pick label that this PR
should merge into -->
---
.../apache/doris/datasource/CatalogProperty.java | 23 -----------------
.../tablefunction/PaimonTableValuedFunction.java | 29 ++++++++++++++++++++++
2 files changed, 29 insertions(+), 23 deletions(-)
diff --git
a/fe/fe-core/src/main/java/org/apache/doris/datasource/CatalogProperty.java
b/fe/fe-core/src/main/java/org/apache/doris/datasource/CatalogProperty.java
index dd5e8d641f1..0f118251197 100644
--- a/fe/fe-core/src/main/java/org/apache/doris/datasource/CatalogProperty.java
+++ b/fe/fe-core/src/main/java/org/apache/doris/datasource/CatalogProperty.java
@@ -18,7 +18,6 @@
package org.apache.doris.datasource;
import org.apache.doris.common.UserException;
-import org.apache.doris.common.security.authentication.AuthenticationConfig;
import org.apache.doris.datasource.property.metastore.MetastoreProperties;
import org.apache.doris.datasource.property.storage.StorageProperties;
@@ -26,10 +25,8 @@ import com.aliyun.odps.table.utils.Preconditions;
import com.google.common.collect.Maps;
import com.google.gson.annotations.SerializedName;
import org.apache.commons.collections4.MapUtils;
-import org.apache.commons.lang3.StringUtils;
import org.apache.commons.lang3.exception.ExceptionUtils;
import org.apache.hadoop.conf.Configuration;
-import org.apache.hadoop.fs.CommonConfigurationKeysPublic;
import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;
@@ -290,26 +287,6 @@ public class CatalogProperty {
});
}
}
- // Temporary compatibility: if the catalog uses HMS
kerberos auth, expose it as canonical
- // hadoop.* kerberos properties so sys table JNI scanners
can reuse the same identity.
- String hiveMetastoreAuthenticationType =
properties.get("hive.metastore.authentication.type");
- String hiveMetastoreClientPrincipal =
properties.get("hive.metastore.client.principal");
- String hiveMetastoreClientKeytab =
properties.get("hive.metastore.client.keytab");
- if
("kerberos".equalsIgnoreCase(hiveMetastoreAuthenticationType)
- &&
StringUtils.isNotBlank(hiveMetastoreClientPrincipal)
- &&
StringUtils.isNotBlank(hiveMetastoreClientKeytab)) {
-
hadoopProperties.put(CommonConfigurationKeysPublic.HADOOP_SECURITY_AUTHENTICATION,
- "kerberos");
-
hadoopProperties.put(AuthenticationConfig.HADOOP_KERBEROS_PRINCIPAL,
- hiveMetastoreClientPrincipal);
-
hadoopProperties.put(AuthenticationConfig.HADOOP_KERBEROS_KEYTAB,
- hiveMetastoreClientKeytab);
- if (StringUtils.isNotBlank(
-
properties.get(AuthenticationConfig.HADOOP_SECURITY_AUTH_TO_LOCAL))) {
-
hadoopProperties.put(AuthenticationConfig.HADOOP_SECURITY_AUTH_TO_LOCAL,
-
properties.get(AuthenticationConfig.HADOOP_SECURITY_AUTH_TO_LOCAL));
- }
- }
}
}
}
diff --git
a/fe/fe-core/src/main/java/org/apache/doris/tablefunction/PaimonTableValuedFunction.java
b/fe/fe-core/src/main/java/org/apache/doris/tablefunction/PaimonTableValuedFunction.java
index 9b618eef529..525593cbd75 100644
---
a/fe/fe-core/src/main/java/org/apache/doris/tablefunction/PaimonTableValuedFunction.java
+++
b/fe/fe-core/src/main/java/org/apache/doris/tablefunction/PaimonTableValuedFunction.java
@@ -23,6 +23,7 @@ import org.apache.doris.catalog.Env;
import org.apache.doris.common.AnalysisException;
import org.apache.doris.common.ErrorCode;
import org.apache.doris.common.ErrorReport;
+import org.apache.doris.common.security.authentication.AuthenticationConfig;
import org.apache.doris.common.security.authentication.ExecutionAuthenticator;
import org.apache.doris.datasource.CatalogIf;
import org.apache.doris.datasource.ExternalDatabase;
@@ -37,7 +38,9 @@ import org.apache.doris.thrift.TMetadataType;
import com.google.common.collect.ImmutableSet;
import com.google.common.collect.Maps;
+import org.apache.commons.lang3.StringUtils;
import org.apache.commons.lang3.exception.ExceptionUtils;
+import org.apache.hadoop.fs.CommonConfigurationKeysPublic;
import org.apache.paimon.table.Table;
import org.apache.paimon.table.source.Split;
@@ -80,6 +83,7 @@ public class PaimonTableValuedFunction extends
MetadataTableValuedFunction {
PaimonExternalCatalog paimonExternalCatalog = (PaimonExternalCatalog)
dorisCatalog;
this.hadoopProps =
paimonExternalCatalog.getCatalogProperty().getHadoopProperties();
+ appendHMSKerberosProps(hadoopProps, paimonExternalCatalog);
this.hadoopAuthenticator =
paimonExternalCatalog.getExecutionAuthenticator();
ExternalDatabase<? extends ExternalTable> database =
paimonExternalCatalog.getDb(paimonTableName.getDb())
@@ -100,6 +104,31 @@ public class PaimonTableValuedFunction extends
MetadataTableValuedFunction {
paimonExternalCatalog.getEnableMappingTimestampTz());
}
+ private void appendHMSKerberosProps(Map<String, String> hadoopProperties,
+ PaimonExternalCatalog
paimonExternalCatalog) {
+ // Temporary compatibility: if the catalog uses HMS kerberos auth,
expose it as canonical
+ // hadoop.* kerberos properties so sys table JNI scanners can reuse
the same identity.
+ Map<String, String> properties =
paimonExternalCatalog.getCatalogProperty().getProperties();
+ String hiveMetastoreAuthenticationType =
properties.get("hive.metastore.authentication.type");
+ String hiveMetastoreClientPrincipal =
properties.get("hive.metastore.client.principal");
+ String hiveMetastoreClientKeytab =
properties.get("hive.metastore.client.keytab");
+ if ("kerberos".equalsIgnoreCase(hiveMetastoreAuthenticationType)
+ && StringUtils.isNotBlank(hiveMetastoreClientPrincipal)
+ && StringUtils.isNotBlank(hiveMetastoreClientKeytab)) {
+
hadoopProperties.put(CommonConfigurationKeysPublic.HADOOP_SECURITY_AUTHENTICATION,
+ "kerberos");
+
hadoopProperties.put(AuthenticationConfig.HADOOP_KERBEROS_PRINCIPAL,
+ hiveMetastoreClientPrincipal);
+ hadoopProperties.put(AuthenticationConfig.HADOOP_KERBEROS_KEYTAB,
+ hiveMetastoreClientKeytab);
+ if (StringUtils.isNotBlank(
+
properties.get(AuthenticationConfig.HADOOP_SECURITY_AUTH_TO_LOCAL))) {
+
hadoopProperties.put(AuthenticationConfig.HADOOP_SECURITY_AUTH_TO_LOCAL,
+
properties.get(AuthenticationConfig.HADOOP_SECURITY_AUTH_TO_LOCAL));
+ }
+ }
+ }
+
public static PaimonTableValuedFunction create(Map<String, String> params)
throws AnalysisException {
Map<String, String> validParams = Maps.newHashMap();
for (String key : params.keySet()) {
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
