apache/kyuubi
1
0
Fork 0
Code Issues Pull Requests Actions 5 Packages Projects Releases Wiki Activity
6da0e62baf
kyuubi/kyuubi-hive-jdbc
History
Wang, Fei 1937dd93f9
[KYUUBI #7009] Backport HIVE-26723: Configurable canonical name checking. 
### Why are the changes needed?

Backport https://github.com/apache/hive/pull/3749

It is not possible to create SSL connection with Kerberos authentication when the server certificate is not issued to the canonical host name but to an alternative domain name.

See details about the exception and steps for reproducing in the [HIVE-26723](https://issues.apache.org/jira/browse/HIVE-26723)

Hive JDBC client validates the host name by its canonical name by default. This behaviour leads to SSLHandshakeExcpetion when trying to connect using alias name with Kerberos authentication. To solve this issue a new connection property is introduced to be able disabling canonical host name check: enableCanonicalHostnameCheck having default value true.

When the property is not given in connection string (or its value is true) then the original behaviour is applied i.e. checking canonical host name.

### How was this patch tested?

There are no new unit tests because the fix is in the HiveConnection constructor which contains lot of logic inside and also builds new SSL connections.
IMO it would have been far too much effort to mock the whole environment for creating unit tests against this tiny change. :(

There wasn't any already existing test against HiveConnection that could be extended with this new feature/bugfix. It is misleading that there is a class having name TestHiveConnection but there is no any tests that would test the class HiveConnection itself.

BTW It was tested manually: after this fix when the steps in JIRA are executed again using the new JARs then the SSL connection is created successfully, and I was able to execute queries.

### Does this PR introduce any user-facing change?
A new JDBC connection URL property has been introduced: enableCanonicalHostnameCheck to be able to turn off the canonical host name checking. Its default value is true so if it is not set the canonical host name is checked when building up the SSL connection.

To turn off the canonical host name checking just add this property to the connection string, i.e:

```
./beeline -u "jdbc:hive2://hs2.subdomain.example.com:443/default;transportMode=http;httpPath=cliservice;socketTimeout=60;ssl=true;retries=1;principal=myhiveprincipal/mydomain.example.com;enableCanonicalHostnameCheck=false;"
```
### Was this patch authored or co-authored using generative AI tooling?

No.

Closes #7009 from turboFei/kerberos_can.

Closes #7009

40cd48814 [Wang, Fei] Backport HIVE-26723: Configurable canonical name checking.

Authored-by: Wang, Fei <fwang12@ebay.com>
Signed-off-by: Cheng Pan <chengpan@apache.org>
2025-04-01 13:51:16 +08:00
..
src [KYUUBI #7009] Backport HIVE-26723: Configurable canonical name checking. 2025-04-01 13:51:16 +08:00
pom.xml [KYUUBI #6769] [RELEASE] Bump 1.11.0-SNAPSHOT 2024-10-23 17:10:56 +08:00
README.md

README.md

Kyuubi Hive JDBC Module

Aiming to make a better supported client for Kyuubi and Spark

  • Add catalog to getTables meta function for DataLakes (DONE, broken in v1.3.0-incubating, fixed in v1.3.1-incubating)
  • Deploy to maven central (DONE, available since v1.3.0-incubating)
  • Create shaded jar (DONE, available since v1.4.0-incubating)
  • Remove Hive dependencies (DONE, available since v1.6.0-incubating)