You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@linkis.apache.org by GitBox <gi...@apache.org> on 2021/11/25 13:34:28 UTC
[GitHub] [incubator-linkis] CCweixiao opened a new pull request #1117: add simple and kerberos auth type for linkis jdbc
CCweixiao opened a new pull request #1117:
URL: https://github.com/apache/incubator-linkis/pull/1117
### What is the purpose of the change
(add simple and kerberos auth type for jdbc.
It is necessary under the needs of different certification environments.
Related issues: #1085 . )
### Brief change log
- Provide multiple authentication-related parameter types;
- Increase the code logic of kerberos authentication.
### Verifying this change
Tested in my local environment
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: dev-unsubscribe@linkis.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@linkis.apache.org
For additional commands, e-mail: dev-help@linkis.apache.org
[GitHub] [incubator-linkis] peacewong commented on a change in pull request #1117: add simple and kerberos auth type for linkis jdbc
Posted by GitBox <gi...@apache.org>.
peacewong commented on a change in pull request #1117:
URL: https://github.com/apache/incubator-linkis/pull/1117#discussion_r759169300
##########
File path: linkis-commons/linkis-hadoop-common/src/main/scala/org/apache/linkis/hadoop/common/utils/KerberosUtils.java
##########
@@ -0,0 +1,111 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.linkis.hadoop.common.utils;
+
+import org.apache.hadoop.conf.Configuration;
+import org.apache.hadoop.security.UserGroupInformation;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+import java.io.IOException;
+
+import static org.apache.hadoop.fs.CommonConfigurationKeysPublic.HADOOP_SECURITY_AUTHENTICATION;
+import static org.apache.hadoop.security.UserGroupInformation.AuthenticationMethod.KERBEROS;
+
+
+public class KerberosUtils {
+ private static final Logger LOG = LoggerFactory.getLogger(KerberosUtils.class);
+
+ private KerberosUtils() {
+ }
+
+ private static Configuration createKerberosSecurityConfiguration() {
+ Configuration conf = new Configuration();
Review comment:
Should use HDFSUtils.getConfiguration to get the configuration object
##########
File path: linkis-engineconn-plugins/engineconn-plugins/jdbc/src/main/java/org/apache/linkis/manager/engineplugin/jdbc/ConnectionManager.java
##########
@@ -160,18 +204,72 @@ public Connection getConnection(Map<String, String> properties) throws SQLExcept
return dataSource.getConnection();
}
- public void close() {
- for (DataSource dataSource: this.databaseToDataSources.values()) {
- try {
-// DataSources.destroy(dataSource);
- ((BasicDataSource)dataSource).close();
- } catch (SQLException e) {}
+ private String getJdbcUrl(Map<String, String> properties) throws SQLException {
+ String url = properties.get("jdbc.url");
+ if (StringUtils.isEmpty(url)) {
+ throw new SQLException("jdbc.url is not empty.");
+ }
+ url = clearUrl(url);
+ validateURL(url);
+ return url.trim();
+ }
+
+ private boolean isUsernameAuthType(Map<String, String> properties) {
+ return USERNAME_AUTH_TYPE.equals(getJdbcAuthType(properties));
+ }
+
+ private boolean isKerberosAuthType(Map<String, String> properties) {
+ return KERBEROS_AUTH_TYPE.equals(getJdbcAuthType(properties));
+ }
+
+ private String getJdbcAuthType(Map<String, String> properties) {
+ return properties.getOrDefault("jdbc.auth.type", USERNAME_AUTH_TYPE).trim().toUpperCase();
+ }
+
+ public ScheduledExecutorService startRefreshKerberosLoginStatusThread() {
+ scheduledExecutorService = Executors.newScheduledThreadPool(1);
+ scheduledExecutorService.submit(new Callable<Object>() {
+ @Override
+ public Object call() throws Exception {
+ if (KerberosUtils.runRefreshKerberosLogin()) {
+ logger.info("Ran runRefreshKerberosLogin command successfully.");
+ kinitFailCount = 0;
+ logger.info("Scheduling Kerberos ticket refresh thread with interval {} ms", KerberosUtils.getKerberosRefreshInterval());
+ scheduledExecutorService.schedule(this, KerberosUtils.getKerberosRefreshInterval(), TimeUnit.MILLISECONDS);
+ } else {
+ kinitFailCount++;
+ logger.info("runRefreshKerberosLogin failed for {} time(s).", kinitFailCount);
+ if (kinitFailCount >= KerberosUtils.kinitFailTimesThreshold()) {
+ logger.error("runRefreshKerberosLogin failed for max attempts, calling close executor.");
+ // close();
+ } else {
+ // wait for 1 second before calling runRefreshKerberosLogin() again
+ scheduledExecutorService.schedule(this, 1, TimeUnit.SECONDS);
+ }
+ }
+ return null;
+ }
+ });
+ return scheduledExecutorService;
+ }
+
+ public void shutdownRefreshKerberosLoginService() {
+ if (scheduledExecutorService != null) {
+ scheduledExecutorService.shutdown();
+ }
+ }
+
+ private String clearUrl(String url) {
+ if (url.startsWith("\"") && url.endsWith("\"")) {
+ url = url.trim();
+ return url.substring(1, url.length() - 1);
}
+ return url;
}
public static void main(String[] args) throws Exception {
// Pattern pattern = Pattern.compile("^(jdbc:\\w+://\\S+:[0-9]+)\\s*");
- String url = "jdbc:mysql://xxx.xxx.xxx.xxx:8504/xx?useUnicode=true&characterEncoding=UTF-8&createDatabaseIfNotExist=true";
Review comment:
Should be placed in the Test class
##########
File path: linkis-commons/linkis-hadoop-common/src/main/scala/org/apache/linkis/hadoop/common/utils/KerberosUtils.java
##########
@@ -0,0 +1,111 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.linkis.hadoop.common.utils;
+
+import org.apache.hadoop.conf.Configuration;
+import org.apache.hadoop.security.UserGroupInformation;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+import java.io.IOException;
+
+import static org.apache.hadoop.fs.CommonConfigurationKeysPublic.HADOOP_SECURITY_AUTHENTICATION;
+import static org.apache.hadoop.security.UserGroupInformation.AuthenticationMethod.KERBEROS;
+
+
+public class KerberosUtils {
Review comment:
Should be placed in the java directory
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: dev-unsubscribe@linkis.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@linkis.apache.org
For additional commands, e-mail: dev-help@linkis.apache.org
[GitHub] [incubator-linkis] CCweixiao commented on a change in pull request #1117: add simple and kerberos auth type for linkis jdbc
Posted by GitBox <gi...@apache.org>.
CCweixiao commented on a change in pull request #1117:
URL: https://github.com/apache/incubator-linkis/pull/1117#discussion_r757347480
##########
File path: linkis-engineconn-plugins/engineconn-plugins/jdbc/src/main/java/org/apache/linkis/manager/engineplugin/jdbc/ConnectionManager.java
##########
@@ -160,18 +205,148 @@ public Connection getConnection(Map<String, String> properties) throws SQLExcept
return dataSource.getConnection();
}
- public void close() {
- for (DataSource dataSource: this.databaseToDataSources.values()) {
+ private String getJdbcUrl(Map<String, String> properties) throws SQLException {
+ String url = properties.get("jdbc.url");
+ if (StringUtils.isEmpty(url)) {
+ throw new SQLException("jdbc.url is not empty.");
+ }
+ url = clearUrl(url);
+ validateURL(url);
+ return url.trim();
+ }
+
+ private boolean isUsernameAuthType(Map<String, String> properties) {
+ return "USERNAME".equals(getJdbcAuthType(properties));
+ }
+
+ private boolean isKerberosAuthType(Map<String, String> properties) {
+ return "KERBEROS".equals(getJdbcAuthType(properties));
Review comment:
>
这个可以的
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: dev-unsubscribe@linkis.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@linkis.apache.org
For additional commands, e-mail: dev-help@linkis.apache.org
[GitHub] [incubator-linkis] peacewong commented on a change in pull request #1117: add simple and kerberos auth type for linkis jdbc
Posted by GitBox <gi...@apache.org>.
peacewong commented on a change in pull request #1117:
URL: https://github.com/apache/incubator-linkis/pull/1117#discussion_r757279716
##########
File path: linkis-engineconn-plugins/engineconn-plugins/jdbc/src/main/java/org/apache/linkis/manager/engineplugin/jdbc/ConnectionManager.java
##########
@@ -160,18 +205,148 @@ public Connection getConnection(Map<String, String> properties) throws SQLExcept
return dataSource.getConnection();
}
- public void close() {
- for (DataSource dataSource: this.databaseToDataSources.values()) {
+ private String getJdbcUrl(Map<String, String> properties) throws SQLException {
+ String url = properties.get("jdbc.url");
+ if (StringUtils.isEmpty(url)) {
+ throw new SQLException("jdbc.url is not empty.");
+ }
+ url = clearUrl(url);
+ validateURL(url);
+ return url.trim();
+ }
+
+ private boolean isUsernameAuthType(Map<String, String> properties) {
+ return "USERNAME".equals(getJdbcAuthType(properties));
+ }
+
+ private boolean isKerberosAuthType(Map<String, String> properties) {
+ return "KERBEROS".equals(getJdbcAuthType(properties));
Review comment:
Can USERNAME/KERBEROS/SIMPLE be defined as a constant
##########
File path: linkis-engineconn-plugins/engineconn-plugins/jdbc/src/main/java/org/apache/linkis/manager/engineplugin/jdbc/ConnectionManager.java
##########
@@ -160,18 +205,148 @@ public Connection getConnection(Map<String, String> properties) throws SQLExcept
return dataSource.getConnection();
}
- public void close() {
- for (DataSource dataSource: this.databaseToDataSources.values()) {
+ private String getJdbcUrl(Map<String, String> properties) throws SQLException {
+ String url = properties.get("jdbc.url");
+ if (StringUtils.isEmpty(url)) {
+ throw new SQLException("jdbc.url is not empty.");
+ }
+ url = clearUrl(url);
+ validateURL(url);
+ return url.trim();
+ }
+
+ private boolean isUsernameAuthType(Map<String, String> properties) {
+ return "USERNAME".equals(getJdbcAuthType(properties));
+ }
+
+ private boolean isKerberosAuthType(Map<String, String> properties) {
+ return "KERBEROS".equals(getJdbcAuthType(properties));
+ }
+
+ private String getJdbcAuthType(Map<String, String> properties) {
+ return properties.getOrDefault("jdbc.auth.type", "USERNAME").trim().toUpperCase();
+ }
+
+ private void createKerberosSecureConfiguration(Map<String, String> properties) {
+ Configuration conf = new Configuration();
+ conf.set(HADOOP_SECURITY_AUTHENTICATION, KERBEROS.toString());
+ UserGroupInformation.setConfiguration(conf);
+ try {
+ if (!UserGroupInformation.isSecurityEnabled()
+ || UserGroupInformation.getCurrentUser().getAuthenticationMethod() != KERBEROS
Review comment:
It is better to define Kerberos-related refresh and creation as a separate interface, without modifying the previous code file
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: dev-unsubscribe@linkis.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@linkis.apache.org
For additional commands, e-mail: dev-help@linkis.apache.org
[GitHub] [incubator-linkis] peacewong merged pull request #1117: add simple and kerberos auth type for linkis jdbc
Posted by GitBox <gi...@apache.org>.
peacewong merged pull request #1117:
URL: https://github.com/apache/incubator-linkis/pull/1117
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: dev-unsubscribe@linkis.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@linkis.apache.org
For additional commands, e-mail: dev-help@linkis.apache.org