apache/kyuubi
1
0
Fork 0
Code Issues Pull Requests Actions 5 Packages Projects Releases Wiki Activity

[KYUUBI #6524] Trino engine supports insecure configuration

Browse Source 
# 🔍 Description
## Issue References 🔗

This pull request fixes #6524

## Describe Your Solution 🔧

Trino engine supports insecure configuration, just as trino client supports --insecure parameter

## Types of changes 🔖

- [x] Bugfix (non-breaking change which fixes an issue)
- [ ] New feature (non-breaking change which adds functionality)
- [ ] Breaking change (fix or feature that would cause existing functionality to change)

## Test Plan 🧪

#### Behavior Without This Pull Request ⚰️

#### Behavior With This Pull Request 🎉

#### Related Unit Tests

---

# Checklist 📝

- [x] This patch was not authored or co-authored using [Generative Tooling](https://www.apache.org/legal/generative-tooling.html)

**Be nice. Be informative.**

Closes #6525 from jiaoqingbo/6524.

Closes #6524

b414b2e05 [jiaoqingbo] update settings.md
129d40742 [jiaoqingbo] [KYUUBI #6524] Trino engine supports insecure configuration
24f374b38 [jiaoqingbo] Merge branch 'master' of https://github.com/jiaoqingbo/incubator-kyuubi
e89268e4b [jiaoqingbo] [KYUUBI #6508] Add the key-value pairs in optimizedConf to session conf

Authored-by: jiaoqingbo <1178404354@qq.com>
Signed-off-by: Cheng Pan <chengpan@apache.org>
This commit is contained in:
jiaoqingbo 2024-07-04 22:41:13 +08:00 committed by Cheng Pan
parent 84f2cf3c5a
commit ef943ecb3b
No known key found for this signature in database
GPG Key ID: 8001952629BCC75D
3 changed files with 31 additions and 20 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
docs/configuration/settings.md
View File

@ -193,6 +193,7 @@ You can configure the Kyuubi properties in `$KYUUBI_HOME/conf/kyuubi-defaults.co
| kyuubi.engine.spark.python.env.archive.exec.path | bin/python | The Python exec path under the Python env archive. | string | 1.7.0 |
| kyuubi.engine.spark.python.home.archive | &lt;undefined&gt; | Spark archive containing $SPARK_HOME/python directory, which is used to init session Python worker for Python language mode. | string | 1.7.0 |
| kyuubi.engine.submit.timeout | PT30S | Period to tolerant Driver Pod ephemerally invisible after submitting. In some Resource Managers, e.g. K8s, the Driver Pod is not visible immediately after `spark-submit` is returned. | duration | 1.7.1 |
| kyuubi.engine.trino.connection.insecure.enabled | false | Skip certificate validation when connecting with TLS/HTTPS enabled trino cluster | boolean | 1.9.2 |
| kyuubi.engine.trino.connection.keystore.password | &lt;undefined&gt; | The keystore password used for connecting to trino cluster | string | 1.8.0 |
| kyuubi.engine.trino.connection.keystore.path | &lt;undefined&gt; | The keystore path used for connecting to trino cluster | string | 1.8.0 |
| kyuubi.engine.trino.connection.keystore.type | &lt;undefined&gt; | The keystore type used for connecting to trino cluster | string | 1.8.0 |

43
externals/kyuubi-trino-engine/src/main/scala/org/apache/kyuubi/engine/trino/session/TrinoSessionImpl.scala vendored
View File

@ -25,8 +25,7 @@ import java.util.concurrent.TimeUnit
import scala.collection.JavaConverters._
import io.airlift.units.Duration
import io.trino.client.ClientSession
import io.trino.client.OkHttpUtil
import io.trino.client.{ClientSession, OkHttpUtil}
import okhttp3.OkHttpClient
import org.apache.kyuubi.KyuubiSQLException
@ -37,7 +36,7 @@ import org.apache.kyuubi.engine.trino.{TrinoConf, TrinoContext, TrinoStatement}
import org.apache.kyuubi.engine.trino.event.TrinoSessionEvent
import org.apache.kyuubi.events.EventBus
import org.apache.kyuubi.operation.{Operation, OperationHandle}
import org.apache.kyuubi.session.{AbstractSession, SessionHandle, SessionManager, USE_CATALOG, USE_DATABASE}
import org.apache.kyuubi.session._
import org.apache.kyuubi.shaded.hive.service.rpc.thrift.{TGetInfoType, TGetInfoValue, TProtocolVersion}
class TrinoSessionImpl(
@ -112,27 +111,31 @@ class TrinoSessionImpl(
}
private def createHttpClient(): OkHttpClient = {
val keystorePath = sessionConf.get(KyuubiConf.ENGINE_TRINO_CONNECTION_KEYSTORE_PATH)
val keystorePassword = sessionConf.get(KyuubiConf.ENGINE_TRINO_CONNECTION_KEYSTORE_PASSWORD)
val keystoreType = sessionConf.get(KyuubiConf.ENGINE_TRINO_CONNECTION_KEYSTORE_TYPE)
val truststorePath = sessionConf.get(KyuubiConf.ENGINE_TRINO_CONNECTION_TRUSTSTORE_PATH)
val truststorePassword = sessionConf.get(KyuubiConf.ENGINE_TRINO_CONNECTION_TRUSTSTORE_PASSWORD)
val truststoreType = sessionConf.get(KyuubiConf.ENGINE_TRINO_CONNECTION_TRUSTSTORE_TYPE)
val serverScheme = clientSession.getServer.getScheme
val builder = new OkHttpClient.Builder()
OkHttpUtil.setupSsl(
builder,
Optional.ofNullable(keystorePath.orNull),
Optional.ofNullable(keystorePassword.orNull),
Optional.ofNullable(keystoreType.orNull),
Optional.ofNullable(truststorePath.orNull),
Optional.ofNullable(truststorePassword.orNull),
Optional.ofNullable(truststoreType.orNull),
true)
val insecureEnabled = sessionConf.get(KyuubiConf.ENGINE_TRINO_CONNECTION_INSECURE_ENABLED)
if (insecureEnabled) {
OkHttpUtil.setupInsecureSsl(builder)
} else {
val keystorePath = sessionConf.get(KyuubiConf.ENGINE_TRINO_CONNECTION_KEYSTORE_PATH)
val keystorePassword = sessionConf.get(KyuubiConf.ENGINE_TRINO_CONNECTION_KEYSTORE_PASSWORD)
val keystoreType = sessionConf.get(KyuubiConf.ENGINE_TRINO_CONNECTION_KEYSTORE_TYPE)
val truststorePath = sessionConf.get(KyuubiConf.ENGINE_TRINO_CONNECTION_TRUSTSTORE_PATH)
val truststorePassword =
sessionConf.get(KyuubiConf.ENGINE_TRINO_CONNECTION_TRUSTSTORE_PASSWORD)
val truststoreType = sessionConf.get(KyuubiConf.ENGINE_TRINO_CONNECTION_TRUSTSTORE_TYPE)
OkHttpUtil.setupSsl(
builder,
Optional.ofNullable(keystorePath.orNull),
Optional.ofNullable(keystorePassword.orNull),
Optional.ofNullable(keystoreType.orNull),
Optional.ofNullable(truststorePath.orNull),
Optional.ofNullable(truststorePassword.orNull),
Optional.ofNullable(truststoreType.orNull),
true)
}
sessionConf.get(KyuubiConf.ENGINE_TRINO_CONNECTION_PASSWORD).foreach { password =>
require(
serverScheme.equalsIgnoreCase("https"),

7
kyuubi-common/src/main/scala/org/apache/kyuubi/config/KyuubiConf.scala
View File

@ -1506,6 +1506,13 @@ object KyuubiConf {
.stringConf
.createOptional
val ENGINE_TRINO_CONNECTION_INSECURE_ENABLED: ConfigEntry[Boolean] =
buildConf("kyuubi.engine.trino.connection.insecure.enabled")
.doc("Skip certificate validation when connecting with TLS/HTTPS enabled trino cluster")
.version("1.9.2")
.booleanConf
.createWithDefault(false)
val ENGINE_TRINO_SHOW_PROGRESS: ConfigEntry[Boolean] =
buildConf("kyuubi.session.engine.trino.showProgress")
.doc("When true, show the progress bar and final info in the Trino engine log.")