From ef943ecb3bdcebd87d8e005189b3e8ebf4808dca Mon Sep 17 00:00:00 2001 From: jiaoqingbo <1178404354@qq.com> Date: Thu, 4 Jul 2024 22:41:13 +0800 Subject: [PATCH] [KYUUBI #6524] Trino engine supports insecure configuration MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit # :mag: Description ## Issue References ๐Ÿ”— This pull request fixes #6524 ## Describe Your Solution ๐Ÿ”ง Trino engine supports insecure configuration, just as trino client supports --insecure parameter ## Types of changes :bookmark: - [x] Bugfix (non-breaking change which fixes an issue) - [ ] New feature (non-breaking change which adds functionality) - [ ] Breaking change (fix or feature that would cause existing functionality to change) ## Test Plan ๐Ÿงช #### Behavior Without This Pull Request :coffin: #### Behavior With This Pull Request :tada: #### Related Unit Tests --- # Checklist ๐Ÿ“ - [x] This patch was not authored or co-authored using [Generative Tooling](https://www.apache.org/legal/generative-tooling.html) **Be nice. Be informative.** Closes #6525 from jiaoqingbo/6524. Closes #6524 b414b2e05 [jiaoqingbo] update settings.md 129d40742 [jiaoqingbo] [KYUUBI #6524] Trino engine supports insecure configuration 24f374b38 [jiaoqingbo] Merge branch 'master' of https://github.com/jiaoqingbo/incubator-kyuubi e89268e4b [jiaoqingbo] [KYUUBI #6508] Add the key-value pairs in optimizedConf to session conf Authored-by: jiaoqingbo <1178404354@qq.com> Signed-off-by: Cheng Pan --- docs/configuration/settings.md | 1 + .../trino/session/TrinoSessionImpl.scala | 43 ++++++++++--------- .../org/apache/kyuubi/config/KyuubiConf.scala | 7 +++ 3 files changed, 31 insertions(+), 20 deletions(-) diff --git a/docs/configuration/settings.md b/docs/configuration/settings.md index 3d4177e86..bc652794b 100644 --- a/docs/configuration/settings.md +++ b/docs/configuration/settings.md @@ -193,6 +193,7 @@ You can configure the Kyuubi properties in `$KYUUBI_HOME/conf/kyuubi-defaults.co | kyuubi.engine.spark.python.env.archive.exec.path | bin/python | The Python exec path under the Python env archive. | string | 1.7.0 | | kyuubi.engine.spark.python.home.archive | <undefined> | Spark archive containing $SPARK_HOME/python directory, which is used to init session Python worker for Python language mode. | string | 1.7.0 | | kyuubi.engine.submit.timeout | PT30S | Period to tolerant Driver Pod ephemerally invisible after submitting. In some Resource Managers, e.g. K8s, the Driver Pod is not visible immediately after `spark-submit` is returned. | duration | 1.7.1 | +| kyuubi.engine.trino.connection.insecure.enabled | false | Skip certificate validation when connecting with TLS/HTTPS enabled trino cluster | boolean | 1.9.2 | | kyuubi.engine.trino.connection.keystore.password | <undefined> | The keystore password used for connecting to trino cluster | string | 1.8.0 | | kyuubi.engine.trino.connection.keystore.path | <undefined> | The keystore path used for connecting to trino cluster | string | 1.8.0 | | kyuubi.engine.trino.connection.keystore.type | <undefined> | The keystore type used for connecting to trino cluster | string | 1.8.0 | diff --git a/externals/kyuubi-trino-engine/src/main/scala/org/apache/kyuubi/engine/trino/session/TrinoSessionImpl.scala b/externals/kyuubi-trino-engine/src/main/scala/org/apache/kyuubi/engine/trino/session/TrinoSessionImpl.scala index 2bfec299a..817e68423 100644 --- a/externals/kyuubi-trino-engine/src/main/scala/org/apache/kyuubi/engine/trino/session/TrinoSessionImpl.scala +++ b/externals/kyuubi-trino-engine/src/main/scala/org/apache/kyuubi/engine/trino/session/TrinoSessionImpl.scala @@ -25,8 +25,7 @@ import java.util.concurrent.TimeUnit import scala.collection.JavaConverters._ import io.airlift.units.Duration -import io.trino.client.ClientSession -import io.trino.client.OkHttpUtil +import io.trino.client.{ClientSession, OkHttpUtil} import okhttp3.OkHttpClient import org.apache.kyuubi.KyuubiSQLException @@ -37,7 +36,7 @@ import org.apache.kyuubi.engine.trino.{TrinoConf, TrinoContext, TrinoStatement} import org.apache.kyuubi.engine.trino.event.TrinoSessionEvent import org.apache.kyuubi.events.EventBus import org.apache.kyuubi.operation.{Operation, OperationHandle} -import org.apache.kyuubi.session.{AbstractSession, SessionHandle, SessionManager, USE_CATALOG, USE_DATABASE} +import org.apache.kyuubi.session._ import org.apache.kyuubi.shaded.hive.service.rpc.thrift.{TGetInfoType, TGetInfoValue, TProtocolVersion} class TrinoSessionImpl( @@ -112,27 +111,31 @@ class TrinoSessionImpl( } private def createHttpClient(): OkHttpClient = { - val keystorePath = sessionConf.get(KyuubiConf.ENGINE_TRINO_CONNECTION_KEYSTORE_PATH) - val keystorePassword = sessionConf.get(KyuubiConf.ENGINE_TRINO_CONNECTION_KEYSTORE_PASSWORD) - val keystoreType = sessionConf.get(KyuubiConf.ENGINE_TRINO_CONNECTION_KEYSTORE_TYPE) - val truststorePath = sessionConf.get(KyuubiConf.ENGINE_TRINO_CONNECTION_TRUSTSTORE_PATH) - val truststorePassword = sessionConf.get(KyuubiConf.ENGINE_TRINO_CONNECTION_TRUSTSTORE_PASSWORD) - val truststoreType = sessionConf.get(KyuubiConf.ENGINE_TRINO_CONNECTION_TRUSTSTORE_TYPE) - val serverScheme = clientSession.getServer.getScheme - val builder = new OkHttpClient.Builder() - OkHttpUtil.setupSsl( - builder, - Optional.ofNullable(keystorePath.orNull), - Optional.ofNullable(keystorePassword.orNull), - Optional.ofNullable(keystoreType.orNull), - Optional.ofNullable(truststorePath.orNull), - Optional.ofNullable(truststorePassword.orNull), - Optional.ofNullable(truststoreType.orNull), - true) + val insecureEnabled = sessionConf.get(KyuubiConf.ENGINE_TRINO_CONNECTION_INSECURE_ENABLED) + if (insecureEnabled) { + OkHttpUtil.setupInsecureSsl(builder) + } else { + val keystorePath = sessionConf.get(KyuubiConf.ENGINE_TRINO_CONNECTION_KEYSTORE_PATH) + val keystorePassword = sessionConf.get(KyuubiConf.ENGINE_TRINO_CONNECTION_KEYSTORE_PASSWORD) + val keystoreType = sessionConf.get(KyuubiConf.ENGINE_TRINO_CONNECTION_KEYSTORE_TYPE) + val truststorePath = sessionConf.get(KyuubiConf.ENGINE_TRINO_CONNECTION_TRUSTSTORE_PATH) + val truststorePassword = + sessionConf.get(KyuubiConf.ENGINE_TRINO_CONNECTION_TRUSTSTORE_PASSWORD) + val truststoreType = sessionConf.get(KyuubiConf.ENGINE_TRINO_CONNECTION_TRUSTSTORE_TYPE) + OkHttpUtil.setupSsl( + builder, + Optional.ofNullable(keystorePath.orNull), + Optional.ofNullable(keystorePassword.orNull), + Optional.ofNullable(keystoreType.orNull), + Optional.ofNullable(truststorePath.orNull), + Optional.ofNullable(truststorePassword.orNull), + Optional.ofNullable(truststoreType.orNull), + true) + } sessionConf.get(KyuubiConf.ENGINE_TRINO_CONNECTION_PASSWORD).foreach { password => require( serverScheme.equalsIgnoreCase("https"), diff --git a/kyuubi-common/src/main/scala/org/apache/kyuubi/config/KyuubiConf.scala b/kyuubi-common/src/main/scala/org/apache/kyuubi/config/KyuubiConf.scala index 422eb4718..fcbd1c9e6 100644 --- a/kyuubi-common/src/main/scala/org/apache/kyuubi/config/KyuubiConf.scala +++ b/kyuubi-common/src/main/scala/org/apache/kyuubi/config/KyuubiConf.scala @@ -1506,6 +1506,13 @@ object KyuubiConf { .stringConf .createOptional + val ENGINE_TRINO_CONNECTION_INSECURE_ENABLED: ConfigEntry[Boolean] = + buildConf("kyuubi.engine.trino.connection.insecure.enabled") + .doc("Skip certificate validation when connecting with TLS/HTTPS enabled trino cluster") + .version("1.9.2") + .booleanConf + .createWithDefault(false) + val ENGINE_TRINO_SHOW_PROGRESS: ConfigEntry[Boolean] = buildConf("kyuubi.session.engine.trino.showProgress") .doc("When true, show the progress bar and final info in the Trino engine log.")