pan3793 commented on code in PR #4649:
URL: https://github.com/apache/kyuubi/pull/4649#discussion_r1155427574
##########
docs/client/jdbc/kyuubi_jdbc.rst:
##########
@@ -127,34 +123,101 @@ accessing. The following is the format of the connection
URL for the Kyuubi Hive
- Properties are case-sensitive
- Do not duplicate properties in the connection URL
-Connection URL over Http
+Connection URL over HTTP
************************
.. versionadded:: 1.6.0
-.. code-block:: jdbc
+.. code-block::
-
jdbc:subprotocol://host:port/schema;transportMode=http;httpPath=<http_endpoint>
+ jdbc:kyuubi://host:port/schema;transportMode=http;httpPath=<http_endpoint>
- http_endpoint is the corresponding HTTP endpoint configured by
`kyuubi.frontend.thrift.http.path` at the server side.
Connection URL over Service Discovery
*************************************
-.. code-block:: jdbc
+.. code-block::
+
+ jdbc:kyuubi://<zookeeper
quorum>/;serviceDiscoveryMode=zooKeeper;zooKeeperNamespace=kyuubi
+
+- zookeeper quorum is the corresponding zookeeper cluster configured by
`kyuubi.ha.addresses` at the server side.
+- zooKeeperNamespace is the corresponding namespace configured by
`kyuubi.ha.namespace` at the server side.
+
+Kerberos Authentication
+-----------------------
+
+.. versionadded:: 1.6.0
+
+Kyuubi JDBC driver implements the Kerberos authentication based on JAAS
framework instead of `Hadoop UserGroupInformation`_,
+which means it does not forcibly rely on Hadoop dependencies to connect a
Kerberized Kyuubi Server.
+
+Kyuubi JDBC driver supports different approaches to connect a Kerberized
Kyuubi Server. First of all, please follow
+the `krb5.conf instruction`_ to setup ``krb5.conf`` properly.
+
+Authentication by principal and keytab
+**************************************
+
+.. tip::
+
+ It's the simplest way w/ minimal setup requirements for Kerberos
authentication.
+
+It's straightforward to use principal and keytab for Kerberos authentication,
just simply configure them in the JDBC URL.
+
+.. code-block::
- jdbc:subprotocol://<zookeeper
quorum>/;serviceDiscoveryMode=zooKeeper;zooKeeperNamespace=kyuubi
+
jdbc:kyuubi://host:port/schema;clientKeytab=<clientKeytab>;clientPrincipal=<clientPrincipal>;serverPrincipal=<serverPrincipal>
-- zookeeper quorum is the corresponding zookeeper cluster configured by
`kyuubi.ha.zookeeper.quorum` at the server side.
-- zooKeeperNamespace is the corresponding namespace configured by
`kyuubi.ha.zookeeper.namespace` at the server side.
+- clientKeytab: path of Kerberos ``keytab`` file for client authentication
+- clientPrincipal: Kerberos ``principal`` for client authentication
+- serverPrincipal: Kerberos ``principal`` configured by
`kyuubi.kinit.principal` at the server side.
-Authentication
---------------
+Authentication by `Hadoop UserGroupInformation`_ ``doAs`` (programing only)
+***************************************************************************
+
+.. versionadded:: 1.7.1
+
+.. tip::
+
+ This approach allows project which already uses `Hadoop
UserGroupInformation`_ for Kerberos authentication to easily
+ connect the Kerberized Kyuubi Server.
+
+.. code-block::
+
+ String jdbcUrl =
"jdbc:kyuubi://host:port/schema;serverPrincipal=<serverPrincipal>"
+ UserGroupInformation ugi =
UserGroupInformation.loginUserFromKeytab(clientPrincipal, clientKeytab);
+ ugi.doAs((PrivilegedExceptionAction<String>) () -> {
+ Connection conn = DriverManager.getConnection(jdbcUrl);
+ ...
+ });
+
+Authentication by principal and TGT cache
Review Comment:
done
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
