diff --git a/docs/client/jdbc/kyuubi_jdbc.rst b/docs/client/jdbc/kyuubi_jdbc.rst index 7a63dbd98..a3c56b418 100644 --- a/docs/client/jdbc/kyuubi_jdbc.rst +++ b/docs/client/jdbc/kyuubi_jdbc.rst @@ -194,6 +194,7 @@ It's straightforward to use principal and keytab for Kerberos authentication, ju - kyuubiClientPrincipal: Kerberos ``principal`` for client authentication - kyuubiClientKeytab: path of Kerberos ``keytab`` file for client authentication +- kyuubiClientTicketCache: path of Kerberos ``ticketCache`` file for client authentication, available since 1.8.0. - kyuubiServerPrincipal: Kerberos ``principal`` configured by `kyuubi.kinit.principal` at the server side. ``kyuubiServerPrincipal`` is available as an alias of ``principal`` since 1.7.0, use ``principal`` for previous versions. diff --git a/kyuubi-hive-jdbc/src/main/java/org/apache/kyuubi/jdbc/hive/JdbcConnectionParams.java b/kyuubi-hive-jdbc/src/main/java/org/apache/kyuubi/jdbc/hive/JdbcConnectionParams.java index bcc94e083..d3c77a77f 100644 --- a/kyuubi-hive-jdbc/src/main/java/org/apache/kyuubi/jdbc/hive/JdbcConnectionParams.java +++ b/kyuubi-hive-jdbc/src/main/java/org/apache/kyuubi/jdbc/hive/JdbcConnectionParams.java @@ -49,6 +49,7 @@ public class JdbcConnectionParams { public static final String AUTH_KYUUBI_SERVER_PRINCIPAL = "kyuubiServerPrincipal"; public static final String AUTH_KYUUBI_CLIENT_PRINCIPAL = "kyuubiClientPrincipal"; public static final String AUTH_KYUUBI_CLIENT_KEYTAB = "kyuubiClientKeytab"; + public static final String AUTH_KYUUBI_CLIENT_TICKET_CACHE = "kyuubiClientTicketCache"; public static final String AUTH_PASSWD = "password"; public static final String AUTH_KERBEROS_AUTH_TYPE = "kerberosAuthType"; public static final String AUTH_KERBEROS_AUTH_TYPE_FROM_SUBJECT = "fromSubject"; diff --git a/kyuubi-hive-jdbc/src/main/java/org/apache/kyuubi/jdbc/hive/KyuubiConnection.java b/kyuubi-hive-jdbc/src/main/java/org/apache/kyuubi/jdbc/hive/KyuubiConnection.java index d3fbbeb6d..39a74e2f5 100644 --- a/kyuubi-hive-jdbc/src/main/java/org/apache/kyuubi/jdbc/hive/KyuubiConnection.java +++ b/kyuubi-hive-jdbc/src/main/java/org/apache/kyuubi/jdbc/hive/KyuubiConnection.java @@ -882,7 +882,8 @@ public class KyuubiConnection implements SQLConnection, KyuubiLoggable { AccessControlContext context = AccessController.getContext(); return Subject.getSubject(context); } else if (isTgtCacheAuthMode()) { - return KerberosAuthenticationManager.getTgtCacheAuthentication().getSubject(); + String ticketCache = sessConfMap.get(AUTH_KYUUBI_CLIENT_TICKET_CACHE); + return KerberosAuthenticationManager.getTgtCacheAuthentication(ticketCache).getSubject(); } else { // This should never happen throw new IllegalArgumentException("Unsupported auth mode"); diff --git a/kyuubi-hive-jdbc/src/main/java/org/apache/kyuubi/jdbc/hive/auth/KerberosAuthentication.java b/kyuubi-hive-jdbc/src/main/java/org/apache/kyuubi/jdbc/hive/auth/KerberosAuthentication.java index a7683523f..a137fbb99 100644 --- a/kyuubi-hive-jdbc/src/main/java/org/apache/kyuubi/jdbc/hive/auth/KerberosAuthentication.java +++ b/kyuubi-hive-jdbc/src/main/java/org/apache/kyuubi/jdbc/hive/auth/KerberosAuthentication.java @@ -37,6 +37,7 @@ import javax.security.auth.login.AppConfigurationEntry; import javax.security.auth.login.Configuration; import javax.security.auth.login.LoginContext; import javax.security.auth.login.LoginException; +import org.apache.commons.lang3.StringUtils; import org.slf4j.Logger; import org.slf4j.LoggerFactory; @@ -48,8 +49,8 @@ public class KerberosAuthentication { private KerberosPrincipal principal = null; private final Configuration configuration; - KerberosAuthentication() { - this.configuration = createLoginFromTgtCacheConfiguration(); + KerberosAuthentication(String ticketCache) { + this.configuration = createLoginFromTgtCacheConfiguration(ticketCache); } KerberosAuthentication(String principal, String keytabLocation) { @@ -96,14 +97,16 @@ public class KerberosAuthentication { } } - private static Configuration createLoginFromTgtCacheConfiguration() { + private static Configuration createLoginFromTgtCacheConfiguration(String ticketCache) { ImmutableMap.Builder optionsBuilder = ImmutableMap.builder() .put("useTicketCache", "true") .put("renewTGT", "true"); - String ticketCache = System.getenv("KRB5CCNAME"); - if (ticketCache != null) { + if (StringUtils.isBlank(ticketCache)) { + ticketCache = System.getenv("KRB5CCNAME"); + } + if (StringUtils.isNotBlank(ticketCache)) { optionsBuilder.put("ticketCache", ticketCache); } return createConfiguration(optionsBuilder); diff --git a/kyuubi-hive-jdbc/src/main/java/org/apache/kyuubi/jdbc/hive/auth/KerberosAuthenticationManager.java b/kyuubi-hive-jdbc/src/main/java/org/apache/kyuubi/jdbc/hive/auth/KerberosAuthenticationManager.java index 92927985f..3df9aa836 100644 --- a/kyuubi-hive-jdbc/src/main/java/org/apache/kyuubi/jdbc/hive/auth/KerberosAuthenticationManager.java +++ b/kyuubi-hive-jdbc/src/main/java/org/apache/kyuubi/jdbc/hive/auth/KerberosAuthenticationManager.java @@ -27,9 +27,10 @@ public class KerberosAuthenticationManager { private static final Map KEYTAB_AUTHENTICATION_CACHE = new ConcurrentHashMap<>(); - public static synchronized CachingKerberosAuthentication getTgtCacheAuthentication() { + public static synchronized CachingKerberosAuthentication getTgtCacheAuthentication( + String ticketCache) { if (GLOBAL_TGT_CACHE_AUTHENTICATION == null) { - KerberosAuthentication tgtCacheAuth = new KerberosAuthentication(); + KerberosAuthentication tgtCacheAuth = new KerberosAuthentication(ticketCache); GLOBAL_TGT_CACHE_AUTHENTICATION = new CachingKerberosAuthentication(tgtCacheAuth); } return GLOBAL_TGT_CACHE_AUTHENTICATION;