Kyuubi Hive JDBC: Replace UGI-based Kerberos authentication w/ JAAS#3023
Closed
pan3793 wants to merge 2 commits intoapache:masterfrom
Closed
Kyuubi Hive JDBC: Replace UGI-based Kerberos authentication w/ JAAS#3023pan3793 wants to merge 2 commits intoapache:masterfrom
pan3793 wants to merge 2 commits intoapache:masterfrom
Conversation
Codecov Report
@@ Coverage Diff @@
## master #3023 +/- ##
============================================
- Coverage 51.26% 51.11% -0.15%
Complexity 6 6
============================================
Files 458 458
Lines 25416 25495 +79
Branches 3535 3544 +9
============================================
+ Hits 13030 13033 +3
- Misses 11144 11219 +75
- Partials 1242 1243 +1
Help us with your feedback. Take ten seconds to tell us how you rate us. |
pan3793
force-pushed
the
ugi
branch
2 times, most recently
from
6a4feea to
1256321
Compare
pan3793
force-pushed
the
ugi
branch
3 times, most recently
from
c81a4ea to
f3f7233
Compare
pan3793
commented
Jul 14, 2022
...hive-jdbc/src/main/java/org/apache/kyuubi/jdbc/hive/auth/HttpKerberosRequestInterceptor.java
Show resolved
Hide resolved
Member
Author
pan3793
force-pushed
the
ugi
branch
5 times, most recently
from
5b48c62 to
d44d0ee
Compare
3 tasks
pan3793
added a commit
that referenced
this pull request
Jul 18, 2022
### _Why are the changes needed?_ This PR is separated from #3023, to make #3023 change more clear. It is a pure code refactor, and should not break any functionality and public API. ### _How was this patch tested?_ - [ ] Add some test cases that check the changes thoroughly including negative and positive cases if possible - [ ] Add screenshots for manual tests if appropriate - [x] [Run test](https://kyuubi.apache.org/docs/latest/develop_tools/testing.html#running-tests) locally before make a pull request Closes #3094 from pan3793/noisy. Closes #3094 0cf2ac2 [Cheng Pan] Minor refactor Authored-by: Cheng Pan <chengpan@apache.org> Signed-off-by: Cheng Pan <chengpan@apache.org>
pan3793
changed the title
3 tasks
Member
Author
|
@yaooqinn for review convince, this PR has been split into multiple parts, I updated the PR description to reflect the changes, please take a look when you have time. |
pan3793
changed the title
cxzl25
reviewed
Jul 21, 2022
| public static final Logger LOG = LoggerFactory.getLogger(KyuubiConnection.class.getName()); | ||
| public static final String BEELINE_MODE_PROPERTY = "BEELINE_MODE"; | ||
| public static final String HS2_PROXY_USER = "hive.server2.proxy.user"; | ||
| public static final String HS2_CLIENT_TOKEN = "hiveserver2ClientToken"; |
Contributor
There was a problem hiding this comment.
n this PR we do not support the delegationToken authentication method, we will add it back in the subsequent PR #3096, right?
Member
Author
|
Since #3096 got approved, I'm going to merge this PR, thanks all for helping reviews. |
Closed
3 tasks
pan3793
pushed a commit
that referenced
this pull request
Aug 26, 2022
… authentication w/ JAAS ### _Why are the changes needed?_ 1. `principal` supports `X/_HOSTEXAMPLE.COM` 2. `kyuubiClientPrincipal` supports headless keytab, `XEXAMPLE.COM` #3023 ### _How was this patch tested?_ - [ ] Add some test cases that check the changes thoroughly including negative and positive cases if possible - [ ] Add screenshots for manual tests if appropriate - [x] [Run test](https://kyuubi.apache.org/docs/latest/develop_tools/testing.html#running-tests) locally before make a pull request Closes #3346 from cxzl25/3023_followup. Closes #3023 1530929 [sychen] support principal _HOST and kyuubiClientPrincipal headless keytab Authored-by: sychen <sychen@ctrip.com> Signed-off-by: Cheng Pan <chengpan@apache.org>
pan3793
pushed a commit
that referenced
this pull request
Aug 26, 2022
… authentication w/ JAAS ### _Why are the changes needed?_ 1. `principal` supports `X/_HOSTEXAMPLE.COM` 2. `kyuubiClientPrincipal` supports headless keytab, `XEXAMPLE.COM` #3023 ### _How was this patch tested?_ - [ ] Add some test cases that check the changes thoroughly including negative and positive cases if possible - [ ] Add screenshots for manual tests if appropriate - [x] [Run test](https://kyuubi.apache.org/docs/latest/develop_tools/testing.html#running-tests) locally before make a pull request Closes #3346 from cxzl25/3023_followup. Closes #3023 1530929 [sychen] support principal _HOST and kyuubiClientPrincipal headless keytab Authored-by: sychen <sychen@ctrip.com> Signed-off-by: Cheng Pan <chengpan@apache.org> (cherry picked from commit 2b122ac) Signed-off-by: Cheng Pan <chengpan@apache.org>
5 tasks
Member
|
hi @pan3793 see that ugi.doAs does not work after this change if KRB5CCNAME env is set and does not set |
Member
|
cc @gabrywu |
3 tasks
Member
Author
turboFei
pushed a commit
that referenced
this pull request
Mar 8, 2023
…doAs
### _Why are the changes needed?_
A typical use case of Hadoop UGI w/ Kyuubi Hive JDBC is
```
UserGroupInformation ugi = UserGroupInformation.getCurrentUser();
ugi.doAs(() -> {
Connection conn = DriverManager.getConnection(
"jdbc:kyuubi://host:10009/default;principal=kyuubi_HOST/ABC.ORG");
...
});
```
After #3023, Kyuubi Hive JDBC implements the Kerberos authentication by using JDK directly instead of Hadoop `UserGroupInformation`, but it also introduce a breaking change for Hadoop users, including the above case. As workaround, user should add `kerberosAuthType=fromSubject` alongside w/ `principal=kyuubi_HOST/ABC.ORG` to make it work.
This PR propose to restore the behavior before #3023 by handling UGI.doAs explicitly.
And this PR makes the `clientPrincipal` `clientKeytab` as the highest priority, so in below cases, `clientPrincipal` `clientKeytab` take effects instead of UGI.
```
UserGroupInformation ugi = UserGroupInformation.getCurrentUser();
ugi.doAs(() -> {
Connection conn = DriverManager.getConnection(
"jdbc:kyuubi://host:10009/default;principal=kyuubi_HOST/ABC.ORG;" +
"clientPrincipal=tom_HOST/ABC.ORG;clientKeytab=/path/xxx.keytab");
...
});
```
### _How was this patch tested?_
- [ ] Add some test cases that check the changes thoroughly including negative and positive cases if possible
- [ ] Add screenshots for manual tests if appropriate
- [ ] [Run test](https://kyuubi.readthedocs.io/en/master/develop_tools/testing.html#running-tests) locally before make a pull request
Closes #4479 from pan3793/detect-ugi.
Closes #4479
0e169ab [Cheng Pan] nit
19036e3 [Cheng Pan] reorder
e8faf9c [Cheng Pan] Restore JDBC kerberos authentication behavior for UGI.doAs
Authored-by: Cheng Pan <chengpan@apache.org>
Signed-off-by: fwang12 <fwang12@ebay.com>
turboFei
pushed a commit
that referenced
this pull request
Mar 8, 2023
…doAs
### _Why are the changes needed?_
A typical use case of Hadoop UGI w/ Kyuubi Hive JDBC is
```
UserGroupInformation ugi = UserGroupInformation.getCurrentUser();
ugi.doAs(() -> {
Connection conn = DriverManager.getConnection(
"jdbc:kyuubi://host:10009/default;principal=kyuubi_HOST/ABC.ORG");
...
});
```
After #3023, Kyuubi Hive JDBC implements the Kerberos authentication by using JDK directly instead of Hadoop `UserGroupInformation`, but it also introduce a breaking change for Hadoop users, including the above case. As workaround, user should add `kerberosAuthType=fromSubject` alongside w/ `principal=kyuubi_HOST/ABC.ORG` to make it work.
This PR propose to restore the behavior before #3023 by handling UGI.doAs explicitly.
And this PR makes the `clientPrincipal` `clientKeytab` as the highest priority, so in below cases, `clientPrincipal` `clientKeytab` take effects instead of UGI.
```
UserGroupInformation ugi = UserGroupInformation.getCurrentUser();
ugi.doAs(() -> {
Connection conn = DriverManager.getConnection(
"jdbc:kyuubi://host:10009/default;principal=kyuubi_HOST/ABC.ORG;" +
"clientPrincipal=tom_HOST/ABC.ORG;clientKeytab=/path/xxx.keytab");
...
});
```
### _How was this patch tested?_
- [ ] Add some test cases that check the changes thoroughly including negative and positive cases if possible
- [ ] Add screenshots for manual tests if appropriate
- [ ] [Run test](https://kyuubi.readthedocs.io/en/master/develop_tools/testing.html#running-tests) locally before make a pull request
Closes #4479 from pan3793/detect-ugi.
Closes #4479
0e169ab [Cheng Pan] nit
19036e3 [Cheng Pan] reorder
e8faf9c [Cheng Pan] Restore JDBC kerberos authentication behavior for UGI.doAs
Authored-by: Cheng Pan <chengpan@apache.org>
Signed-off-by: fwang12 <fwang12@ebay.com>
(cherry picked from commit 17466ea)
Signed-off-by: fwang12 <fwang12@ebay.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
4 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Why are the changes needed?
The current JDBC Kerberos authentication and Hadoop UGI classes are strongly coupled, it's not friendly for downstream projects which do not have Hadoop dependencies, and users who are not familiar w/ Hadoop security mechanism.
This PR proposes to replace the UGI-based Kerberos authentication with JAAS-based.
The main logic is
To achieve this, we need to introduce new JDBC parameters
kyuubiClientPrincipalandkyuubiClientKeytab.The above description is pure JDK-based and totally removed Hadoop dependencies from Kyuubi Hive JDBC driver.
To minimize the scope of this PR, I separate the support of delegation token to a follow-up PR #3096, and it still needs UGI.
How was this patch tested?
Add some test cases that check the changes thoroughly including negative and positive cases if possible
Add screenshots for manual tests if appropriate
Run test locally before make a pull request