[KYUUBI #5564] Support to config ticket cache location in JDBC URL

### _Why are the changes needed?_ Support to config customized ticket cache location in kyuubi connection URL. Before, we can only set it via environment variable `KRB5CCNAME`. ### _How was this patch tested?_ - [ ] Add some test cases that check the changes thoroughly including negative and positive cases if possible - [ ] Add screenshots for manual tests if appropriate - [x] [Run test](https://kyuubi.readthedocs.io/en/master/contributing/code/testing.html#running-tests) locally before make a pull request ### _Was this patch authored or co-authored using generative AI tooling?_ No. Closes #5564 from turboFei/ticket_cache. Closes #5564 140ae6ec2 [fwang12] since 1.8.0 caaf33a44 [fwang12] check is blank 0fae9f9c5 [fwang12] doc 05b9e9df8 [fwang12] ticket cache Authored-by: fwang12 <fwang12@ebay.com> Signed-off-by: Cheng Pan <chengpan@apache.org>
2023-11-03 00:35:27 +08:00 · 2023-11-03 00:35:27 +08:00 · c149809fb9
commit c149809fb9
parent 8980e0752d
5 changed files with 15 additions and 8 deletions
--- a/docs/client/jdbc/kyuubi_jdbc.rst
+++ b/docs/client/jdbc/kyuubi_jdbc.rst
@ -194,6 +194,7 @@ It's straightforward to use principal and keytab for Kerberos authentication, ju

 - kyuubiClientPrincipal: Kerberos ``principal`` for client authentication
 - kyuubiClientKeytab: path of Kerberos ``keytab`` file for client authentication
+- kyuubiClientTicketCache: path of Kerberos ``ticketCache`` file for client authentication, available since 1.8.0.
 - kyuubiServerPrincipal: Kerberos ``principal`` configured by `kyuubi.kinit.principal` at the server side. ``kyuubiServerPrincipal`` is available
  as an alias of ``principal`` since 1.7.0, use ``principal`` for previous versions.

--- a/kyuubi-hive-jdbc/src/main/java/org/apache/kyuubi/jdbc/hive/JdbcConnectionParams.java
+++ b/kyuubi-hive-jdbc/src/main/java/org/apache/kyuubi/jdbc/hive/JdbcConnectionParams.java
@ -49,6 +49,7 @@ public class JdbcConnectionParams {
  public static final String AUTH_KYUUBI_SERVER_PRINCIPAL = "kyuubiServerPrincipal";
  public static final String AUTH_KYUUBI_CLIENT_PRINCIPAL = "kyuubiClientPrincipal";
  public static final String AUTH_KYUUBI_CLIENT_KEYTAB = "kyuubiClientKeytab";
+  public static final String AUTH_KYUUBI_CLIENT_TICKET_CACHE = "kyuubiClientTicketCache";
  public static final String AUTH_PASSWD = "password";
  public static final String AUTH_KERBEROS_AUTH_TYPE = "kerberosAuthType";
  public static final String AUTH_KERBEROS_AUTH_TYPE_FROM_SUBJECT = "fromSubject";
--- a/kyuubi-hive-jdbc/src/main/java/org/apache/kyuubi/jdbc/hive/KyuubiConnection.java
+++ b/kyuubi-hive-jdbc/src/main/java/org/apache/kyuubi/jdbc/hive/KyuubiConnection.java
@ -882,7 +882,8 @@ public class KyuubiConnection implements SQLConnection, KyuubiLoggable {
      AccessControlContext context = AccessController.getContext();
      return Subject.getSubject(context);
    } else if (isTgtCacheAuthMode()) {
-      return KerberosAuthenticationManager.getTgtCacheAuthentication().getSubject();
+      String ticketCache = sessConfMap.get(AUTH_KYUUBI_CLIENT_TICKET_CACHE);
+      return KerberosAuthenticationManager.getTgtCacheAuthentication(ticketCache).getSubject();
    } else {
      // This should never happen
      throw new IllegalArgumentException("Unsupported auth mode");
--- a/kyuubi-hive-jdbc/src/main/java/org/apache/kyuubi/jdbc/hive/auth/KerberosAuthentication.java
+++ b/kyuubi-hive-jdbc/src/main/java/org/apache/kyuubi/jdbc/hive/auth/KerberosAuthentication.java
@ -37,6 +37,7 @@ import javax.security.auth.login.AppConfigurationEntry;
 import javax.security.auth.login.Configuration;
 import javax.security.auth.login.LoginContext;
 import javax.security.auth.login.LoginException;
+import org.apache.commons.lang3.StringUtils;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;

@ -48,8 +49,8 @@ public class KerberosAuthentication {
  private KerberosPrincipal principal = null;
  private final Configuration configuration;

-  KerberosAuthentication() {
-    this.configuration = createLoginFromTgtCacheConfiguration();
+  KerberosAuthentication(String ticketCache) {
+    this.configuration = createLoginFromTgtCacheConfiguration(ticketCache);
  }

  KerberosAuthentication(String principal, String keytabLocation) {
@ -96,14 +97,16 @@ public class KerberosAuthentication {
    }
  }

-  private static Configuration createLoginFromTgtCacheConfiguration() {
+  private static Configuration createLoginFromTgtCacheConfiguration(String ticketCache) {
    ImmutableMap.Builder<String, String> optionsBuilder =
        ImmutableMap.<String, String>builder()
            .put("useTicketCache", "true")
            .put("renewTGT", "true");

-    String ticketCache = System.getenv("KRB5CCNAME");
-    if (ticketCache != null) {
+    if (StringUtils.isBlank(ticketCache)) {
+      ticketCache = System.getenv("KRB5CCNAME");
+    }
+    if (StringUtils.isNotBlank(ticketCache)) {
      optionsBuilder.put("ticketCache", ticketCache);
    }
    return createConfiguration(optionsBuilder);
--- a/kyuubi-hive-jdbc/src/main/java/org/apache/kyuubi/jdbc/hive/auth/KerberosAuthenticationManager.java
+++ b/kyuubi-hive-jdbc/src/main/java/org/apache/kyuubi/jdbc/hive/auth/KerberosAuthenticationManager.java
@ -27,9 +27,10 @@ public class KerberosAuthenticationManager {
  private static final Map<String, CachingKerberosAuthentication> KEYTAB_AUTHENTICATION_CACHE =
      new ConcurrentHashMap<>();

-  public static synchronized CachingKerberosAuthentication getTgtCacheAuthentication() {
+  public static synchronized CachingKerberosAuthentication getTgtCacheAuthentication(
+      String ticketCache) {
    if (GLOBAL_TGT_CACHE_AUTHENTICATION == null) {
-      KerberosAuthentication tgtCacheAuth = new KerberosAuthentication();
+      KerberosAuthentication tgtCacheAuth = new KerberosAuthentication(ticketCache);
      GLOBAL_TGT_CACHE_AUTHENTICATION = new CachingKerberosAuthentication(tgtCacheAuth);
    }
    return GLOBAL_TGT_CACHE_AUTHENTICATION;