From 22cf6bbb9c95adb780021689248222d16c80de64 Mon Sep 17 00:00:00 2001 From: schjan <15332482+schjan79@users.noreply.github.com> Date: Thu, 10 Nov 2022 20:47:41 +0100 Subject: [PATCH] HIVE-26723: Configurable canonical name checking. Hive JDBC client validates the host name by its canonical name by default. This behaviour leads to SSLHandshakeExcpetion when trying to connect by alias name via Kerberos. To solve this issue a new connection property is is introduced for Kerberos usecase to be able disabling canonical host name check: 'enableCanonicalHostnameCheck' having default value `true`. When the property is not given in connection string (or its value is true) then the original behaviour is applied i.e. checking canonical host name. --- .../java/org/apache/hive/jdbc/HiveConnection.java | 14 ++++++++++++-- jdbc/src/java/org/apache/hive/jdbc/Utils.java | 1 + 2 files changed, 13 insertions(+), 2 deletions(-) diff --git a/jdbc/src/java/org/apache/hive/jdbc/HiveConnection.java b/jdbc/src/java/org/apache/hive/jdbc/HiveConnection.java index c91416a02b7a..fc7542754eb9 100644 --- a/jdbc/src/java/org/apache/hive/jdbc/HiveConnection.java +++ b/jdbc/src/java/org/apache/hive/jdbc/HiveConnection.java @@ -65,6 +65,7 @@ import java.util.List; import java.util.Map; import java.util.Map.Entry; +import java.util.Optional; import java.util.Properties; import java.util.concurrent.Executor; import java.util.concurrent.locks.ReentrantLock; @@ -306,7 +307,11 @@ protected HiveConnection(String uri, Properties info, sessConfMap = connParams.getSessionVars(); setupLoginTimeout(); if (isKerberosAuthMode()) { - host = Utils.getCanonicalHostName(connParams.getHost()); + if (isEnableCanonicalHostnameCheck()) { + host = Utils.getCanonicalHostName(connParams.getHost()); + } else { + host = connParams.getHost(); + } } else if (isBrowserAuthMode() && !isHttpTransportMode()) { throw new SQLException("Browser auth mode is only applicable in http mode"); } else { @@ -400,7 +405,7 @@ protected HiveConnection(String uri, Properties info, } // Update with new values jdbcUriString = connParams.getJdbcUriString(); - if (isKerberosAuthMode()) { + if (isKerberosAuthMode() && isEnableCanonicalHostnameCheck()) { host = Utils.getCanonicalHostName(connParams.getHost()); } else { host = connParams.getHost(); @@ -1324,6 +1329,11 @@ private boolean isKerberosAuthMode() { && sessConfMap.containsKey(JdbcConnectionParams.AUTH_PRINCIPAL); } + private boolean isEnableCanonicalHostnameCheck() { + return Boolean.parseBoolean( + sessConfMap.getOrDefault(JdbcConnectionParams.AUTH_KERBEROS_ENABLE_CANONICAL_HOSTNAME_CHECK, "true")); + } + private boolean isBrowserAuthMode() { return JdbcConnectionParams.AUTH_SSO_BROWSER_MODE .equals(sessConfMap.get(JdbcConnectionParams.AUTH_TYPE)); diff --git a/jdbc/src/java/org/apache/hive/jdbc/Utils.java b/jdbc/src/java/org/apache/hive/jdbc/Utils.java index a855d4e2a5d3..765f9bde725a 100644 --- a/jdbc/src/java/org/apache/hive/jdbc/Utils.java +++ b/jdbc/src/java/org/apache/hive/jdbc/Utils.java @@ -99,6 +99,7 @@ public static class JdbcConnectionParams { public static final String AUTH_PASSWD = "password"; public static final String AUTH_KERBEROS_AUTH_TYPE = "kerberosAuthType"; public static final String AUTH_KERBEROS_AUTH_TYPE_FROM_SUBJECT = "fromSubject"; + public static final String AUTH_KERBEROS_ENABLE_CANONICAL_HOSTNAME_CHECK = "kerberosEnableCanonicalHostnameCheck"; public static final String AUTH_TYPE_JWT = "jwt"; public static final String AUTH_TYPE_JWT_KEY = "jwt"; public static final String AUTH_JWT_ENV = "JWT";