This is an automated email from the ASF dual-hosted git repository.
chengpan pushed a commit to branch branch-1.10
in repository https://gitbox.apache.org/repos/asf/kyuubi.git
The following commit(s) were added to refs/heads/branch-1.10 by this push:
new b9a75402bc [KYUUBI #7009] Backport HIVE-26723: Configurable canonical
name checking.
b9a75402bc is described below
commit b9a75402bc8251f6fba4a95f128d0a8b70829a87
Author: Wang, Fei <[email protected]>
AuthorDate: Tue Apr 1 13:51:16 2025 +0800
[KYUUBI #7009] Backport HIVE-26723: Configurable canonical name checking.
### Why are the changes needed?
Backport https://github.com/apache/hive/pull/3749
It is not possible to create SSL connection with Kerberos authentication
when the server certificate is not issued to the canonical host name but to an
alternative domain name.
See details about the exception and steps for reproducing in the
[HIVE-26723](https://issues.apache.org/jira/browse/HIVE-26723)
Hive JDBC client validates the host name by its canonical name by default.
This behaviour leads to SSLHandshakeExcpetion when trying to connect using
alias name with Kerberos authentication. To solve this issue a new connection
property is introduced to be able disabling canonical host name check:
enableCanonicalHostnameCheck having default value true.
When the property is not given in connection string (or its value is true)
then the original behaviour is applied i.e. checking canonical host name.
### How was this patch tested?
There are no new unit tests because the fix is in the HiveConnection
constructor which contains lot of logic inside and also builds new SSL
connections.
IMO it would have been far too much effort to mock the whole environment
for creating unit tests against this tiny change. :(
There wasn't any already existing test against HiveConnection that could be
extended with this new feature/bugfix. It is misleading that there is a class
having name TestHiveConnection but there is no any tests that would test the
class HiveConnection itself.
BTW It was tested manually: after this fix when the steps in JIRA are
executed again using the new JARs then the SSL connection is created
successfully, and I was able to execute queries.
### Does this PR introduce any user-facing change?
A new JDBC connection URL property has been introduced:
enableCanonicalHostnameCheck to be able to turn off the canonical host name
checking. Its default value is true so if it is not set the canonical host name
is checked when building up the SSL connection.
To turn off the canonical host name checking just add this property to the
connection string, i.e:
```
./beeline -u
"jdbc:hive2://hs2.subdomain.example.com:443/default;transportMode=http;httpPath=cliservice;socketTimeout=60;ssl=true;retries=1;principal=myhiveprincipal/mydomain.example.com;enableCanonicalHostnameCheck=false;"
```
### Was this patch authored or co-authored using generative AI tooling?
No.
Closes #7009 from turboFei/kerberos_can.
Closes #7009
40cd48814 [Wang, Fei] Backport HIVE-26723: Configurable canonical name
checking.
Authored-by: Wang, Fei <[email protected]>
Signed-off-by: Cheng Pan <[email protected]>
(cherry picked from commit 1937dd93f9488cd209df96c603472134c3fab22d)
Signed-off-by: Cheng Pan <[email protected]>
---
.../org/apache/kyuubi/jdbc/hive/JdbcConnectionParams.java | 2 ++
.../java/org/apache/kyuubi/jdbc/hive/KyuubiConnection.java | 14 ++++++++++++--
2 files changed, 14 insertions(+), 2 deletions(-)
diff --git
a/kyuubi-hive-jdbc/src/main/java/org/apache/kyuubi/jdbc/hive/JdbcConnectionParams.java
b/kyuubi-hive-jdbc/src/main/java/org/apache/kyuubi/jdbc/hive/JdbcConnectionParams.java
index 0db99da710..6d34c649b0 100644
---
a/kyuubi-hive-jdbc/src/main/java/org/apache/kyuubi/jdbc/hive/JdbcConnectionParams.java
+++
b/kyuubi-hive-jdbc/src/main/java/org/apache/kyuubi/jdbc/hive/JdbcConnectionParams.java
@@ -55,6 +55,8 @@ public class JdbcConnectionParams {
public static final String AUTH_KERBEROS_AUTH_TYPE_FROM_KEYTAB =
"fromKeytab";
public static final String AUTH_KERBEROS_AUTH_TYPE_FROM_SUBJECT =
"fromSubject";
public static final String AUTH_KERBEROS_AUTH_TYPE_FROM_TICKET_CACHE =
"fromTicketCache";
+ public static final String AUTH_KERBEROS_ENABLE_CANONICAL_HOSTNAME_CHECK =
+ "kerberosEnableCanonicalHostnameCheck";
public static final String AUTH_TYPE_JWT = "jwt";
public static final String AUTH_TYPE_JWT_KEY = "jwt";
public static final String AUTH_JWT_ENV = "JWT";
diff --git
a/kyuubi-hive-jdbc/src/main/java/org/apache/kyuubi/jdbc/hive/KyuubiConnection.java
b/kyuubi-hive-jdbc/src/main/java/org/apache/kyuubi/jdbc/hive/KyuubiConnection.java
index 8d8922ee7f..dc2b7afee3 100644
---
a/kyuubi-hive-jdbc/src/main/java/org/apache/kyuubi/jdbc/hive/KyuubiConnection.java
+++
b/kyuubi-hive-jdbc/src/main/java/org/apache/kyuubi/jdbc/hive/KyuubiConnection.java
@@ -146,7 +146,11 @@ public class KyuubiConnection implements SQLConnection,
KyuubiLoggable {
// hive_conf_list -> hiveConfMap
// hive_var_list -> hiveVarMap
if (isKerberosAuthMode()) {
- host = Utils.getCanonicalHostName(connParams.getHost());
+ if (isEnableCanonicalHostnameCheck()) {
+ host = Utils.getCanonicalHostName(connParams.getHost());
+ } else {
+ host = connParams.getHost();
+ }
} else {
host = connParams.getHost();
}
@@ -213,7 +217,7 @@ public class KyuubiConnection implements SQLConnection,
KyuubiLoggable {
}
// Update with new values
jdbcUriString = connParams.getJdbcUriString();
- if (isKerberosAuthMode()) {
+ if (isKerberosAuthMode() && isEnableCanonicalHostnameCheck()) {
host = Utils.getCanonicalHostName(connParams.getHost());
} else {
host = connParams.getHost();
@@ -1003,6 +1007,12 @@ public class KyuubiConnection implements SQLConnection,
KyuubiLoggable {
return isSaslAuthMode() && hasSessionValue(AUTH_PRINCIPAL);
}
+ private boolean isEnableCanonicalHostnameCheck() {
+ return Boolean.parseBoolean(
+ sessConfMap.getOrDefault(
+
JdbcConnectionParams.AUTH_KERBEROS_ENABLE_CANONICAL_HOSTNAME_CHECK, "true"));
+ }
+
private Subject createSubject() {
if (isKeytabAuthMode()) {
String principal = sessConfMap.get(AUTH_KYUUBI_CLIENT_PRINCIPAL);
