Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

HIVE-27817: Disable ssl hostname verification for 127.0.0.1 #4823

Merged
merged 1 commit into from
Nov 8, 2023
Merged

HIVE-27817: Disable ssl hostname verification for 127.0.0.1 #4823

merged 1 commit into from
Nov 8, 2023

Conversation

wangyum
Copy link
Member

@wangyum wangyum commented Oct 24, 2023
edited

What changes were proposed in this pull request?

This PR disables ssl hostname verification for 127.0.0.1.

Why are the changes needed?

We need to setup production tunnel because we can't connect to production environment directly:

sh -fN -o ServerAliveInterval=60 -o ServerAliveCountMax=3 -L 127.0.0.1:10001:hiveserver2.prod.company.com:10001 bastion.company.com

JDBC url: jdbc:hive2://127.0.0.1:10001/default;ssl=true

But it will throw exception after HIVE-15025:

Exception in thread "main" java.sql.SQLException: Could not open client transport with JDBC Uri: jdbc:hive2://localhost:10001/default;ssl=true: javax.net.ssl.SSLHandshakeException: No subject alternative DNS name matching localhost found.
	at org.apache.hive.jdbc.HiveConnection.<init>(HiveConnection.java:224)
	at org.apache.hive.jdbc.HiveDriver.connect(HiveDriver.java:107)
	at java.sql.DriverManager.getConnection(DriverManager.java:664)
	at java.sql.DriverManager.getConnection(DriverManager.java:247)
	at org.apache.spark.sql.TestJDBC$.main(TestJDBC.scala:47)
	at org.apache.spark.sql.TestJDBC.main(TestJDBC.scala)
Caused by: org.apache.hive.org.apache.thrift.transport.TTransportException: javax.net.ssl.SSLHandshakeException: No subject alternative DNS name matching localhost found.
	at org.apache.hive.org.apache.thrift.transport.TIOStreamTransport.flush(TIOStreamTransport.java:161)
	at org.apache.hive.org.apache.thrift.transport.TSaslTransport.sendSaslMessage(TSaslTransport.java:166)
	at org.apache.hive.org.apache.thrift.transport.TSaslClientTransport.handleSaslStartMessage(TSaslClientTransport.java:100)
	at org.apache.hive.org.apache.thrift.transport.TSaslTransport.open(TSaslTransport.java:271)
	at org.apache.hive.org.apache.thrift.transport.TSaslClientTransport.open(TSaslClientTransport.java:37)
	at org.apache.hive.jdbc.HiveConnection.openTransport(HiveConnection.java:311)
	at org.apache.hive.jdbc.HiveConnection.<init>(HiveConnection.java:196)
	... 5 more

This PR disables ssl hostname verification for 127.0.0.1 to workaround this issue.

Does this PR introduce any user-facing change?

No.

Is the change a dependency upgrade?

No.

How was this patch tested?

Manual test.

@sonarcloud
Copy link

sonarcloud bot commented Oct 24, 2023

Kudos, SonarCloud Quality Gate passed!    Quality Gate passed

Bug A 0 Bugs
Vulnerability A 0 Vulnerabilities
Security Hotspot A 0 Security Hotspots
Code Smell A 0 Code Smells

No Coverage information No Coverage information
No Duplication information No Duplication information

warning The version of Java (11.0.8) you have used to run this analysis is deprecated and we will stop accepting it soon. Please update to at least Java 17.
Read more here

@wangyum
Copy link
Member Author

wangyum commented Oct 24, 2023

cc @aihuaxu @chaoyu-tang @sunchao

aturoczy
aturoczy approved these changes Nov 8, 2023
View reviewed changes
Copy link

@aturoczy aturoczy left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes! Thank you!

@aturoczy
Copy link

aturoczy commented Nov 8, 2023

cc: @SourabhBadhya

sfc-gh-aixu
sfc-gh-aixu approved these changes Nov 8, 2023
View reviewed changes
Copy link

@sfc-gh-aixu sfc-gh-aixu left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM.

sunchao
sunchao approved these changes Nov 8, 2023
View reviewed changes
Copy link
Member

@sunchao sunchao left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@sunchao sunchao changed the title [HIVE-27817] Disable ssl hostname verification for 127.0.0.1 HIVE-27817: Disable ssl hostname verification for 127.0.0.1 Nov 8, 2023
@sunchao sunchao merged commit 2eef89b into apache:master Nov 8, 2023
7 checks passed
@sunchao
Copy link
Member

sunchao commented Nov 8, 2023

Merged to master, thanks @wangyum !

wangyum added a commit to wangyum/hive that referenced this pull request Nov 8, 2023
@wangyum
HIVE-27817: Disable ssl hostname verification for 127.0.0.1 (apache#4823
c202884 
)

(cherry picked from commit 2eef89b)
@wangyum wangyum deleted the HIVE-27817 branch November 10, 2023 02:17
sunchao pushed a commit that referenced this pull request Nov 23, 2023
@wangyum
HIVE-27817: Disable ssl hostname verification for 127.0.0.1 (#4823) (#…
c1bfbd0 
…4865)

(cherry picked from commit 2eef89b)
tarak271 pushed a commit to tarak271/hive-1 that referenced this pull request Dec 19, 2023
@wangyum @tarak271
HIVE-27817: Disable ssl hostname verification for 127.0.0.1 (apache#4823
b86fb7b 
)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@sunchao sunchao sunchao approved these changes

@aturoczy aturoczy aturoczy approved these changes

@sfc-gh-aixu sfc-gh-aixu sfc-gh-aixu approved these changes

Assignees
No one assigned
Labels
tests passed
Projects
None yet
Milestone
No milestone
5 participants
@wangyum @aturoczy @sunchao @sfc-gh-aixu @asf-ci-hive