From 0bcd107d4fbc7b53cf400efa03259e5d39c70d15 Mon Sep 17 00:00:00 2001 From: pengqli Date: Fri, 17 Nov 2023 19:31:59 +0800 Subject: [PATCH] [KYUUBI #5713] Backport HIVE-27271: Client connection to HS2 fails when transportMode=http, ssl=true, sslTrustStore specified without trustStorePassword in the JDBC URL MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit # :mag: Description Backport https://github.com/apache/hive/pull/4262 ## Issue References ๐Ÿ”— This pull request fixes ##5713 ## Describe Your Solution ๐Ÿ”ง trustStorePassword is not a necessary parameter in connection URL. Connection can be established without it. From the javadocs [Link](https://docs.oracle.com/javase/7/docs/api/java/security/KeyStore.html#load(java.io.InputStream,%20char%5B%5D)) A password may be given to unlock the keystore (e.g. the keystore resides on a hardware token device), or to check the integrity of the keystore data. If a password is not given for integrity checking, then integrity checking is not performed. In order to create an empty keystore, or if the keystore cannot be initialized from a stream, pass null as the stream argument. Reference PR comes from HIVE-27271 ## Types of changes :bookmark: - [x] Bugfix (non-breaking change which fixes an issue) - [ ] New feature (non-breaking change which adds functionality) - [ ] Breaking change (fix or feature that would cause existing functionality to change) ## Test Plan ๐Ÿงช #### Behavior Without This Pull Request :coffin: #### Behavior With This Pull Request :tada: #### Related Unit Tests --- # Checklists ## ๐Ÿ“ Author Self Checklist - [ ] My code follows the [style guidelines](https://kyuubi.readthedocs.io/en/master/contributing/code/style.html) of this project - [ ] I have performed a self-review - [ ] I have commented my code, particularly in hard-to-understand areas - [ ] I have made corresponding changes to the documentation - [ ] My changes generate no new warnings - [ ] I have added tests that prove my fix is effective or that my feature works - [ ] New and existing unit tests pass locally with my changes - [ ] This patch was not authored or co-authored using [Generative Tooling](https://www.apache.org/legal/generative-tooling.html) ## ๐Ÿ“ Committer Pre-Merge Checklist - [x] Pull request title is okay. - [x] No license issues. - [x] Milestone correctly set? - [ ] Test coverage is ok - [x] Assignees are selected. - [x] Minimum number of approvals - [x] No changes are requested **Be nice. Be informative.** Closes #5712 from dev-lpq/ssl_http_store. Closes #5713 c1011e487 [pengqli] Support client connection when transportMode=http,ssl=true, sslTrustStore specified without trustStorePassword in the JDBC URL Authored-by: pengqli Signed-off-by: Cheng Pan --- .../java/org/apache/kyuubi/jdbc/hive/KyuubiConnection.java | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/kyuubi-hive-jdbc/src/main/java/org/apache/kyuubi/jdbc/hive/KyuubiConnection.java b/kyuubi-hive-jdbc/src/main/java/org/apache/kyuubi/jdbc/hive/KyuubiConnection.java index 39a74e2f5..077def43b 100644 --- a/kyuubi-hive-jdbc/src/main/java/org/apache/kyuubi/jdbc/hive/KyuubiConnection.java +++ b/kyuubi-hive-jdbc/src/main/java/org/apache/kyuubi/jdbc/hive/KyuubiConnection.java @@ -559,7 +559,8 @@ public class KyuubiConnection implements SQLConnection, KyuubiLoggable { // Pick trust store config from the given path sslTrustStore = KeyStore.getInstance(SSL_TRUST_STORE_TYPE); try (FileInputStream fis = new FileInputStream(sslTrustStorePath)) { - sslTrustStore.load(fis, sslTrustStorePassword.toCharArray()); + sslTrustStore.load( + fis, sslTrustStorePassword != null ? sslTrustStorePassword.toCharArray() : null); } sslContext = SSLContexts.custom().loadTrustMaterial(sslTrustStore, null).build(); socketFactory = @@ -685,7 +686,8 @@ public class KyuubiConnection implements SQLConnection, KyuubiLoggable { SSL_TRUST_STORE + " Not configured for 2 way SSL connection"); } try (FileInputStream fis = new FileInputStream(trustStorePath)) { - sslTrustStore.load(fis, trustStorePassword.toCharArray()); + sslTrustStore.load( + fis, trustStorePassword != null ? trustStorePassword.toCharArray() : null); } trustManagerFactory.init(sslTrustStore); SSLContext context = SSLContext.getInstance("TLS");