You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@hive.apache.org by ab...@apache.org on 2022/11/14 10:16:58 UTC

[hive] branch master updated: HIVE-26723: JDBC - Configurable canonical name checking for Kerberos. (#3749) (Janos Schmidt reviewed by Laszlo Bodor)

This is an automated email from the ASF dual-hosted git repository.

abstractdog pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/hive.git


The following commit(s) were added to refs/heads/master by this push:
     new f7d4297ecfe HIVE-26723: JDBC - Configurable canonical name checking for Kerberos. (#3749) (Janos Schmidt reviewed by Laszlo Bodor)
f7d4297ecfe is described below

commit f7d4297ecfe59b9f14146920877fb2c29e0ceaae
Author: schjan79 <15...@users.noreply.github.com>
AuthorDate: Mon Nov 14 11:16:44 2022 +0100

    HIVE-26723: JDBC - Configurable canonical name checking for Kerberos. (#3749) (Janos Schmidt reviewed by Laszlo Bodor)
    
    Hive JDBC client validates the host name by its canonical name by default. This behaviour leads to SSLHandshakeExcpetion when trying to connect by alias name via Kerberos. To solve this issue a new connection property is introduced for Kerberos usecase to be able disabling canonical host name check: 'enableCanonicalHostnameCheck' having default value `true`.
    
    When the property is not given in connection string (or its value is true) then the original behaviour is applied i.e. checking canonical host name.
---
 jdbc/src/java/org/apache/hive/jdbc/HiveConnection.java | 14 ++++++++++++--
 jdbc/src/java/org/apache/hive/jdbc/Utils.java          |  1 +
 2 files changed, 13 insertions(+), 2 deletions(-)

diff --git a/jdbc/src/java/org/apache/hive/jdbc/HiveConnection.java b/jdbc/src/java/org/apache/hive/jdbc/HiveConnection.java
index c91416a02b7..fc7542754eb 100644
--- a/jdbc/src/java/org/apache/hive/jdbc/HiveConnection.java
+++ b/jdbc/src/java/org/apache/hive/jdbc/HiveConnection.java
@@ -65,6 +65,7 @@ import java.util.LinkedList;
 import java.util.List;
 import java.util.Map;
 import java.util.Map.Entry;
+import java.util.Optional;
 import java.util.Properties;
 import java.util.concurrent.Executor;
 import java.util.concurrent.locks.ReentrantLock;
@@ -306,7 +307,11 @@ public class HiveConnection implements java.sql.Connection {
     sessConfMap = connParams.getSessionVars();
     setupLoginTimeout();
     if (isKerberosAuthMode()) {
-      host = Utils.getCanonicalHostName(connParams.getHost());
+      if (isEnableCanonicalHostnameCheck()) {
+        host = Utils.getCanonicalHostName(connParams.getHost());
+      } else {
+        host = connParams.getHost();
+      }
     } else if (isBrowserAuthMode() && !isHttpTransportMode()) {
       throw new SQLException("Browser auth mode is only applicable in http mode");
     } else {
@@ -400,7 +405,7 @@ public class HiveConnection implements java.sql.Connection {
             }
             // Update with new values
             jdbcUriString = connParams.getJdbcUriString();
-            if (isKerberosAuthMode()) {
+            if (isKerberosAuthMode() && isEnableCanonicalHostnameCheck()) {
               host = Utils.getCanonicalHostName(connParams.getHost());
             } else {
               host = connParams.getHost();
@@ -1324,6 +1329,11 @@ public class HiveConnection implements java.sql.Connection {
         && sessConfMap.containsKey(JdbcConnectionParams.AUTH_PRINCIPAL);
   }
 
+  private boolean isEnableCanonicalHostnameCheck() {
+    return Boolean.parseBoolean(
+        sessConfMap.getOrDefault(JdbcConnectionParams.AUTH_KERBEROS_ENABLE_CANONICAL_HOSTNAME_CHECK, "true"));
+  }
+
   private boolean isBrowserAuthMode() {
     return JdbcConnectionParams.AUTH_SSO_BROWSER_MODE
         .equals(sessConfMap.get(JdbcConnectionParams.AUTH_TYPE));
diff --git a/jdbc/src/java/org/apache/hive/jdbc/Utils.java b/jdbc/src/java/org/apache/hive/jdbc/Utils.java
index a855d4e2a5d..765f9bde725 100644
--- a/jdbc/src/java/org/apache/hive/jdbc/Utils.java
+++ b/jdbc/src/java/org/apache/hive/jdbc/Utils.java
@@ -99,6 +99,7 @@ public class Utils {
     public static final String AUTH_PASSWD = "password";
     public static final String AUTH_KERBEROS_AUTH_TYPE = "kerberosAuthType";
     public static final String AUTH_KERBEROS_AUTH_TYPE_FROM_SUBJECT = "fromSubject";
+    public static final String AUTH_KERBEROS_ENABLE_CANONICAL_HOSTNAME_CHECK = "kerberosEnableCanonicalHostnameCheck";
     public static final String AUTH_TYPE_JWT = "jwt";
     public static final String AUTH_TYPE_JWT_KEY = "jwt";
     public static final String AUTH_JWT_ENV = "JWT";