diff --git a/docs/configuration/settings.md b/docs/configuration/settings.md index 3d4177e86..bc652794b 100644 --- a/docs/configuration/settings.md +++ b/docs/configuration/settings.md @@ -193,6 +193,7 @@ You can configure the Kyuubi properties in `$KYUUBI_HOME/conf/kyuubi-defaults.co | kyuubi.engine.spark.python.env.archive.exec.path | bin/python | The Python exec path under the Python env archive. | string | 1.7.0 | | kyuubi.engine.spark.python.home.archive | <undefined> | Spark archive containing $SPARK_HOME/python directory, which is used to init session Python worker for Python language mode. | string | 1.7.0 | | kyuubi.engine.submit.timeout | PT30S | Period to tolerant Driver Pod ephemerally invisible after submitting. In some Resource Managers, e.g. K8s, the Driver Pod is not visible immediately after `spark-submit` is returned. | duration | 1.7.1 | +| kyuubi.engine.trino.connection.insecure.enabled | false | Skip certificate validation when connecting with TLS/HTTPS enabled trino cluster | boolean | 1.9.2 | | kyuubi.engine.trino.connection.keystore.password | <undefined> | The keystore password used for connecting to trino cluster | string | 1.8.0 | | kyuubi.engine.trino.connection.keystore.path | <undefined> | The keystore path used for connecting to trino cluster | string | 1.8.0 | | kyuubi.engine.trino.connection.keystore.type | <undefined> | The keystore type used for connecting to trino cluster | string | 1.8.0 | diff --git a/externals/kyuubi-trino-engine/src/main/scala/org/apache/kyuubi/engine/trino/session/TrinoSessionImpl.scala b/externals/kyuubi-trino-engine/src/main/scala/org/apache/kyuubi/engine/trino/session/TrinoSessionImpl.scala index 2bfec299a..817e68423 100644 --- a/externals/kyuubi-trino-engine/src/main/scala/org/apache/kyuubi/engine/trino/session/TrinoSessionImpl.scala +++ b/externals/kyuubi-trino-engine/src/main/scala/org/apache/kyuubi/engine/trino/session/TrinoSessionImpl.scala @@ -25,8 +25,7 @@ import java.util.concurrent.TimeUnit import scala.collection.JavaConverters._ import io.airlift.units.Duration -import io.trino.client.ClientSession -import io.trino.client.OkHttpUtil +import io.trino.client.{ClientSession, OkHttpUtil} import okhttp3.OkHttpClient import org.apache.kyuubi.KyuubiSQLException @@ -37,7 +36,7 @@ import org.apache.kyuubi.engine.trino.{TrinoConf, TrinoContext, TrinoStatement} import org.apache.kyuubi.engine.trino.event.TrinoSessionEvent import org.apache.kyuubi.events.EventBus import org.apache.kyuubi.operation.{Operation, OperationHandle} -import org.apache.kyuubi.session.{AbstractSession, SessionHandle, SessionManager, USE_CATALOG, USE_DATABASE} +import org.apache.kyuubi.session._ import org.apache.kyuubi.shaded.hive.service.rpc.thrift.{TGetInfoType, TGetInfoValue, TProtocolVersion} class TrinoSessionImpl( @@ -112,27 +111,31 @@ class TrinoSessionImpl( } private def createHttpClient(): OkHttpClient = { - val keystorePath = sessionConf.get(KyuubiConf.ENGINE_TRINO_CONNECTION_KEYSTORE_PATH) - val keystorePassword = sessionConf.get(KyuubiConf.ENGINE_TRINO_CONNECTION_KEYSTORE_PASSWORD) - val keystoreType = sessionConf.get(KyuubiConf.ENGINE_TRINO_CONNECTION_KEYSTORE_TYPE) - val truststorePath = sessionConf.get(KyuubiConf.ENGINE_TRINO_CONNECTION_TRUSTSTORE_PATH) - val truststorePassword = sessionConf.get(KyuubiConf.ENGINE_TRINO_CONNECTION_TRUSTSTORE_PASSWORD) - val truststoreType = sessionConf.get(KyuubiConf.ENGINE_TRINO_CONNECTION_TRUSTSTORE_TYPE) - val serverScheme = clientSession.getServer.getScheme - val builder = new OkHttpClient.Builder() - OkHttpUtil.setupSsl( - builder, - Optional.ofNullable(keystorePath.orNull), - Optional.ofNullable(keystorePassword.orNull), - Optional.ofNullable(keystoreType.orNull), - Optional.ofNullable(truststorePath.orNull), - Optional.ofNullable(truststorePassword.orNull), - Optional.ofNullable(truststoreType.orNull), - true) + val insecureEnabled = sessionConf.get(KyuubiConf.ENGINE_TRINO_CONNECTION_INSECURE_ENABLED) + if (insecureEnabled) { + OkHttpUtil.setupInsecureSsl(builder) + } else { + val keystorePath = sessionConf.get(KyuubiConf.ENGINE_TRINO_CONNECTION_KEYSTORE_PATH) + val keystorePassword = sessionConf.get(KyuubiConf.ENGINE_TRINO_CONNECTION_KEYSTORE_PASSWORD) + val keystoreType = sessionConf.get(KyuubiConf.ENGINE_TRINO_CONNECTION_KEYSTORE_TYPE) + val truststorePath = sessionConf.get(KyuubiConf.ENGINE_TRINO_CONNECTION_TRUSTSTORE_PATH) + val truststorePassword = + sessionConf.get(KyuubiConf.ENGINE_TRINO_CONNECTION_TRUSTSTORE_PASSWORD) + val truststoreType = sessionConf.get(KyuubiConf.ENGINE_TRINO_CONNECTION_TRUSTSTORE_TYPE) + OkHttpUtil.setupSsl( + builder, + Optional.ofNullable(keystorePath.orNull), + Optional.ofNullable(keystorePassword.orNull), + Optional.ofNullable(keystoreType.orNull), + Optional.ofNullable(truststorePath.orNull), + Optional.ofNullable(truststorePassword.orNull), + Optional.ofNullable(truststoreType.orNull), + true) + } sessionConf.get(KyuubiConf.ENGINE_TRINO_CONNECTION_PASSWORD).foreach { password => require( serverScheme.equalsIgnoreCase("https"), diff --git a/kyuubi-common/src/main/scala/org/apache/kyuubi/config/KyuubiConf.scala b/kyuubi-common/src/main/scala/org/apache/kyuubi/config/KyuubiConf.scala index 422eb4718..fcbd1c9e6 100644 --- a/kyuubi-common/src/main/scala/org/apache/kyuubi/config/KyuubiConf.scala +++ b/kyuubi-common/src/main/scala/org/apache/kyuubi/config/KyuubiConf.scala @@ -1506,6 +1506,13 @@ object KyuubiConf { .stringConf .createOptional + val ENGINE_TRINO_CONNECTION_INSECURE_ENABLED: ConfigEntry[Boolean] = + buildConf("kyuubi.engine.trino.connection.insecure.enabled") + .doc("Skip certificate validation when connecting with TLS/HTTPS enabled trino cluster") + .version("1.9.2") + .booleanConf + .createWithDefault(false) + val ENGINE_TRINO_SHOW_PROGRESS: ConfigEntry[Boolean] = buildConf("kyuubi.session.engine.trino.showProgress") .doc("When true, show the progress bar and final info in the Trino engine log.")