(kyuubi) branch branch-1.9 updated: [KYUUBI #7008] Backport HIVE-27817: Disable ssl hostname verification for 127.0.0.1

Mon, 31 Mar 2025 22:48:39 -0700 

This is an automated email from the ASF dual-hosted git repository.

chengpan pushed a commit to branch branch-1.9
in repository https://gitbox.apache.org/repos/asf/kyuubi.git


The following commit(s) were added to refs/heads/branch-1.9 by this push:
     new caa5f72b1e [KYUUBI #7008] Backport HIVE-27817: Disable ssl hostname 
verification for 127.0.0.1
caa5f72b1e is described below

commit caa5f72b1edb12fac4a2d5347563de8466082e2e
Author: Wang, Fei <[email protected]>
AuthorDate: Tue Apr 1 13:47:55 2025 +0800

    [KYUUBI #7008] Backport HIVE-27817: Disable ssl hostname verification for 
127.0.0.1
    
    ### Why are the changes needed?
    
    Backport https://github.com/apache/hive/pull/4823
    
    We need to setup production tunnel because we can't connect to production 
environment directly:
    
    ```
    sh -fN -o ServerAliveInterval=60 -o ServerAliveCountMax=3 -L 
127.0.0.1:10001:hiveserver2.prod.company.com:10001 bastion.company.com
    
    JDBC url: jdbc:hive2://127.0.0.1:10001/default;ssl=true
    ```
    
    But it will throw exception after 
[HIVE-15025](https://issues.apache.org/jira/browse/HIVE-15025):
    
    ```
    Exception in thread "main" java.sql.SQLException: Could not open client 
transport with JDBC Uri: jdbc:hive2://localhost:10001/default;ssl=true: 
javax.net.ssl.SSLHandshakeException: No subject alternative DNS name matching 
localhost found.
            at 
org.apache.hive.jdbc.HiveConnection.<init>(HiveConnection.java:224)
            at org.apache.hive.jdbc.HiveDriver.connect(HiveDriver.java:107)
            at java.sql.DriverManager.getConnection(DriverManager.java:664)
            at java.sql.DriverManager.getConnection(DriverManager.java:247)
            at org.apache.spark.sql.TestJDBC$.main(TestJDBC.scala:47)
            at org.apache.spark.sql.TestJDBC.main(TestJDBC.scala)
    Caused by: org.apache.hive.org.apache.thrift.transport.TTransportException: 
javax.net.ssl.SSLHandshakeException: No subject alternative DNS name matching 
localhost found.
            at 
org.apache.hive.org.apache.thrift.transport.TIOStreamTransport.flush(TIOStreamTransport.java:161)
            at 
org.apache.hive.org.apache.thrift.transport.TSaslTransport.sendSaslMessage(TSaslTransport.java:166)
            at 
org.apache.hive.org.apache.thrift.transport.TSaslClientTransport.handleSaslStartMessage(TSaslClientTransport.java:100)
            at 
org.apache.hive.org.apache.thrift.transport.TSaslTransport.open(TSaslTransport.java:271)
            at 
org.apache.hive.org.apache.thrift.transport.TSaslClientTransport.open(TSaslClientTransport.java:37)
            at 
org.apache.hive.jdbc.HiveConnection.openTransport(HiveConnection.java:311)
            at 
org.apache.hive.jdbc.HiveConnection.<init>(HiveConnection.java:196)
            ... 5 more
    ```
    This PR disables ssl hostname verification for 127.0.0.1 to workaround this 
issue.
    
    ### How was this patch tested?
    
    Manual test.
    ### Was this patch authored or co-authored using generative AI tooling?
    
    No.
    
    Closes #7008 from turboFei/ssl.
    
    Closes #7008
    
    6ae1b7b82 [Wang, Fei] Backport HIVE-27817: Disable ssl hostname 
verification for 127.0.0.1
    
    Authored-by: Wang, Fei <[email protected]>
    Signed-off-by: Cheng Pan <[email protected]>
    (cherry picked from commit 2fdf4405628e114f0d05d91015f3323a97ead4f9)
    Signed-off-by: Cheng Pan <[email protected]>
---
 .../src/main/java/org/apache/kyuubi/jdbc/hive/auth/ThriftUtils.java | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git 
a/kyuubi-hive-jdbc/src/main/java/org/apache/kyuubi/jdbc/hive/auth/ThriftUtils.java
 
b/kyuubi-hive-jdbc/src/main/java/org/apache/kyuubi/jdbc/hive/auth/ThriftUtils.java
index 331b871e08..8e853ad037 100644
--- 
a/kyuubi-hive-jdbc/src/main/java/org/apache/kyuubi/jdbc/hive/auth/ThriftUtils.java
+++ 
b/kyuubi-hive-jdbc/src/main/java/org/apache/kyuubi/jdbc/hive/auth/ThriftUtils.java
@@ -116,7 +116,11 @@ public class ThriftUtils {
       throws TTransportException {
     SSLSocket sslSocket = (SSLSocket) tSSLSocket.getSocket();
     SSLParameters sslParams = sslSocket.getSSLParameters();
-    sslParams.setEndpointIdentificationAlgorithm("HTTPS");
+    if (sslSocket.getLocalAddress().getHostAddress().equals("127.0.0.1")) {
+      sslParams.setEndpointIdentificationAlgorithm(null);
+    } else {
+      sslParams.setEndpointIdentificationAlgorithm("HTTPS");
+    }
     sslSocket.setSSLParameters(sslParams);
     TSocket tSocket = new TSocket(sslSocket);
     return configureThriftMaxMessageSize(tSocket, maxMessageSize);

Reply via email to