You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@kyuubi.apache.org by ch...@apache.org on 2022/08/26 01:51:30 UTC
[incubator-kyuubi] branch branch-1.6 updated: [KYUUBI #3023][FOLLOWUP] Kyuubi Hive JDBC: Replace UGI-based Kerberos authentication w/ JAAS
This is an automated email from the ASF dual-hosted git repository.
chengpan pushed a commit to branch branch-1.6
in repository https://gitbox.apache.org/repos/asf/incubator-kyuubi.git
The following commit(s) were added to refs/heads/branch-1.6 by this push:
new 99753deae [KYUUBI #3023][FOLLOWUP] Kyuubi Hive JDBC: Replace UGI-based Kerberos authentication w/ JAAS
99753deae is described below
commit 99753deae982a85bf4fd6b0c85fd0adb93142c3f
Author: sychen <sy...@ctrip.com>
AuthorDate: Fri Aug 26 09:51:07 2022 +0800
[KYUUBI #3023][FOLLOWUP] Kyuubi Hive JDBC: Replace UGI-based Kerberos authentication w/ JAAS
### _Why are the changes needed?_
1. `principal` supports `X/_HOSTEXAMPLE.COM`
2. `kyuubiClientPrincipal` supports headless keytab, `XEXAMPLE.COM`
https://github.com/apache/incubator-kyuubi/pull/3023
### _How was this patch tested?_
- [ ] Add some test cases that check the changes thoroughly including negative and positive cases if possible
- [ ] Add screenshots for manual tests if appropriate
- [x] [Run test](https://kyuubi.apache.org/docs/latest/develop_tools/testing.html#running-tests) locally before make a pull request
Closes #3346 from cxzl25/3023_followup.
Closes #3023
15309298 [sychen] support principal _HOST and kyuubiClientPrincipal headless keytab
Authored-by: sychen <sy...@ctrip.com>
Signed-off-by: Cheng Pan <ch...@apache.org>
(cherry picked from commit 2b122ac71fa3a416ad2473d17cab20352e34b274)
Signed-off-by: Cheng Pan <ch...@apache.org>
---
.../main/java/org/apache/kyuubi/jdbc/hive/KyuubiConnection.java | 2 +-
.../org/apache/kyuubi/jdbc/hive/auth/KerberosAuthentication.java | 2 +-
.../org/apache/kyuubi/jdbc/hive/auth/KerberosSaslHelper.java | 4 +++-
.../java/org/apache/kyuubi/jdbc/hive/auth/KerberosUtils.java | 9 +++++++++
4 files changed, 14 insertions(+), 3 deletions(-)
diff --git a/kyuubi-hive-jdbc/src/main/java/org/apache/kyuubi/jdbc/hive/KyuubiConnection.java b/kyuubi-hive-jdbc/src/main/java/org/apache/kyuubi/jdbc/hive/KyuubiConnection.java
index d9a6b1d74..b87bbd04d 100644
--- a/kyuubi-hive-jdbc/src/main/java/org/apache/kyuubi/jdbc/hive/KyuubiConnection.java
+++ b/kyuubi-hive-jdbc/src/main/java/org/apache/kyuubi/jdbc/hive/KyuubiConnection.java
@@ -630,7 +630,7 @@ public class KyuubiConnection implements SQLConnection, KyuubiLoggable {
Subject subject = createSubject();
String serverPrincipal = sessConfMap.get(AUTH_PRINCIPAL);
return KerberosSaslHelper.createSubjectAssumedTransport(
- subject, serverPrincipal, socketTransport, saslProps);
+ subject, serverPrincipal, host, socketTransport, saslProps);
} catch (Exception e) {
throw new KyuubiSQLException(
"Could not create secure connection to " + jdbcUriString + ": " + e.getMessage(),
diff --git a/kyuubi-hive-jdbc/src/main/java/org/apache/kyuubi/jdbc/hive/auth/KerberosAuthentication.java b/kyuubi-hive-jdbc/src/main/java/org/apache/kyuubi/jdbc/hive/auth/KerberosAuthentication.java
index 284b72598..a7683523f 100644
--- a/kyuubi-hive-jdbc/src/main/java/org/apache/kyuubi/jdbc/hive/auth/KerberosAuthentication.java
+++ b/kyuubi-hive-jdbc/src/main/java/org/apache/kyuubi/jdbc/hive/auth/KerberosAuthentication.java
@@ -89,7 +89,7 @@ public class KerberosAuthentication {
private static KerberosPrincipal createKerberosPrincipal(String principal) {
try {
return new KerberosPrincipal(
- KerberosUtils.canonicalPrincipal(
+ KerberosUtils.canonicalClientPrincipal(
principal, InetAddress.getLocalHost().getCanonicalHostName()));
} catch (IOException e) {
throw new UncheckedIOException(e);
diff --git a/kyuubi-hive-jdbc/src/main/java/org/apache/kyuubi/jdbc/hive/auth/KerberosSaslHelper.java b/kyuubi-hive-jdbc/src/main/java/org/apache/kyuubi/jdbc/hive/auth/KerberosSaslHelper.java
index 56b25fc2f..67ac6e166 100644
--- a/kyuubi-hive-jdbc/src/main/java/org/apache/kyuubi/jdbc/hive/auth/KerberosSaslHelper.java
+++ b/kyuubi-hive-jdbc/src/main/java/org/apache/kyuubi/jdbc/hive/auth/KerberosSaslHelper.java
@@ -31,10 +31,12 @@ public final class KerberosSaslHelper {
public static TTransport createSubjectAssumedTransport(
Subject subject,
String serverPrincipal,
+ String host,
TTransport underlyingTransport,
Map<String, String> saslProps)
throws SaslException {
- String[] names = KerberosUtils.splitPrincipal(serverPrincipal);
+ String resolvedPrincipal = KerberosUtils.canonicalPrincipal(serverPrincipal, host);
+ String[] names = KerberosUtils.splitPrincipal(resolvedPrincipal);
TTransport saslTransport =
new TSaslClientTransport(
"GSSAPI", null, names[0], names[1], saslProps, null, underlyingTransport);
diff --git a/kyuubi-hive-jdbc/src/main/java/org/apache/kyuubi/jdbc/hive/auth/KerberosUtils.java b/kyuubi-hive-jdbc/src/main/java/org/apache/kyuubi/jdbc/hive/auth/KerberosUtils.java
index 911e36365..67ec3ce5b 100644
--- a/kyuubi-hive-jdbc/src/main/java/org/apache/kyuubi/jdbc/hive/auth/KerberosUtils.java
+++ b/kyuubi-hive-jdbc/src/main/java/org/apache/kyuubi/jdbc/hive/auth/KerberosUtils.java
@@ -46,6 +46,15 @@ public final class KerberosUtils {
return format("%s/%s@%s", names[0], hostname.toLowerCase(ENGLISH), names[2]);
}
+ public static String canonicalClientPrincipal(String principal, String hostname) {
+ String[] components = splitPrincipal(principal);
+ if (components.length != 3 || !components[1].equals(HOSTNAME_PATTERN)) {
+ return principal;
+ } else {
+ return canonicalPrincipal(principal, hostname);
+ }
+ }
+
public static KerberosTicket getTgt(Subject subject) {
Set<KerberosTicket> tickets = subject.getPrivateCredentials(KerberosTicket.class);
for (KerberosTicket ticket : tickets) {