HIVE-26723: Configurable canonical name checking. #3749
Merged
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
abstractdog
requested changes
Nov 11, 2022
Contributor
abstractdog
left a comment
abstractdog
left a comment
There was a problem hiding this comment.
looks good to me, minor comments
Hive JDBC client validates the host name by its canonical name by default. This behaviour leads to SSLHandshakeExcpetion when trying to connect by alias name via Kerberos. To solve this issue a new connection property is is introduced for Kerberos usecase to be able disabling canonical host name check: 'enableCanonicalHostnameCheck' having default value `true`. When the property is not given in connection string (or its value is true) then the original behaviour is applied i.e. checking canonical host name.
schjan79
force-pushed
the
HIVE-26723-jdbc_disable_canonical_hostname_check
branch
from
71cefb1 to
22cf6bb
Compare
|
Kudos, SonarCloud Quality Gate passed!
|
schjan79
deleted the
HIVE-26723-jdbc_disable_canonical_hostname_check
branch
dengzhhu653
pushed a commit
to dengzhhu653/hive
that referenced
this pull request
Dec 15, 2022
…apache#3749) (Janos Schmidt reviewed by Laszlo Bodor) Hive JDBC client validates the host name by its canonical name by default. This behaviour leads to SSLHandshakeExcpetion when trying to connect by alias name via Kerberos. To solve this issue a new connection property is introduced for Kerberos usecase to be able disabling canonical host name check: 'enableCanonicalHostnameCheck' having default value `true`. When the property is not given in connection string (or its value is true) then the original behaviour is applied i.e. checking canonical host name.
DongWei-4
pushed a commit
to DongWei-4/hive
that referenced
this pull request
Dec 29, 2022
…apache#3749) (Janos Schmidt reviewed by Laszlo Bodor) Hive JDBC client validates the host name by its canonical name by default. This behaviour leads to SSLHandshakeExcpetion when trying to connect by alias name via Kerberos. To solve this issue a new connection property is introduced for Kerberos usecase to be able disabling canonical host name check: 'enableCanonicalHostnameCheck' having default value `true`. When the property is not given in connection string (or its value is true) then the original behaviour is applied i.e. checking canonical host name. (cherry picked from commit f7d4297)
yeahyung
pushed a commit
to yeahyung/hive
that referenced
this pull request
Jul 20, 2023
…apache#3749) (Janos Schmidt reviewed by Laszlo Bodor) Hive JDBC client validates the host name by its canonical name by default. This behaviour leads to SSLHandshakeExcpetion when trying to connect by alias name via Kerberos. To solve this issue a new connection property is introduced for Kerberos usecase to be able disabling canonical host name check: 'enableCanonicalHostnameCheck' having default value `true`. When the property is not given in connection string (or its value is true) then the original behaviour is applied i.e. checking canonical host name.
pan3793
pushed a commit
to apache/kyuubi
that referenced
this pull request
Apr 1, 2025
…ing. ### Why are the changes needed? Backport apache/hive#3749 It is not possible to create SSL connection with Kerberos authentication when the server certificate is not issued to the canonical host name but to an alternative domain name. See details about the exception and steps for reproducing in the [HIVE-26723](https://issues.apache.org/jira/browse/HIVE-26723) Hive JDBC client validates the host name by its canonical name by default. This behaviour leads to SSLHandshakeExcpetion when trying to connect using alias name with Kerberos authentication. To solve this issue a new connection property is introduced to be able disabling canonical host name check: enableCanonicalHostnameCheck having default value true. When the property is not given in connection string (or its value is true) then the original behaviour is applied i.e. checking canonical host name. ### How was this patch tested? There are no new unit tests because the fix is in the HiveConnection constructor which contains lot of logic inside and also builds new SSL connections. IMO it would have been far too much effort to mock the whole environment for creating unit tests against this tiny change. :( There wasn't any already existing test against HiveConnection that could be extended with this new feature/bugfix. It is misleading that there is a class having name TestHiveConnection but there is no any tests that would test the class HiveConnection itself. BTW It was tested manually: after this fix when the steps in JIRA are executed again using the new JARs then the SSL connection is created successfully, and I was able to execute queries. ### Does this PR introduce any user-facing change? A new JDBC connection URL property has been introduced: enableCanonicalHostnameCheck to be able to turn off the canonical host name checking. Its default value is true so if it is not set the canonical host name is checked when building up the SSL connection. To turn off the canonical host name checking just add this property to the connection string, i.e: ``` ./beeline -u "jdbc:hive2://hs2.subdomain.example.com:443/default;transportMode=http;httpPath=cliservice;socketTimeout=60;ssl=true;retries=1;principal=myhiveprincipal/mydomain.example.com;enableCanonicalHostnameCheck=false;" ``` ### Was this patch authored or co-authored using generative AI tooling? No. Closes #7009 from turboFei/kerberos_can. Closes #7009 40cd488 [Wang, Fei] Backport HIVE-26723: Configurable canonical name checking. Authored-by: Wang, Fei <[email protected]> Signed-off-by: Cheng Pan <[email protected]>
pan3793
pushed a commit
to apache/kyuubi
that referenced
this pull request
Apr 1, 2025
…ing. ### Why are the changes needed? Backport apache/hive#3749 It is not possible to create SSL connection with Kerberos authentication when the server certificate is not issued to the canonical host name but to an alternative domain name. See details about the exception and steps for reproducing in the [HIVE-26723](https://issues.apache.org/jira/browse/HIVE-26723) Hive JDBC client validates the host name by its canonical name by default. This behaviour leads to SSLHandshakeExcpetion when trying to connect using alias name with Kerberos authentication. To solve this issue a new connection property is introduced to be able disabling canonical host name check: enableCanonicalHostnameCheck having default value true. When the property is not given in connection string (or its value is true) then the original behaviour is applied i.e. checking canonical host name. ### How was this patch tested? There are no new unit tests because the fix is in the HiveConnection constructor which contains lot of logic inside and also builds new SSL connections. IMO it would have been far too much effort to mock the whole environment for creating unit tests against this tiny change. :( There wasn't any already existing test against HiveConnection that could be extended with this new feature/bugfix. It is misleading that there is a class having name TestHiveConnection but there is no any tests that would test the class HiveConnection itself. BTW It was tested manually: after this fix when the steps in JIRA are executed again using the new JARs then the SSL connection is created successfully, and I was able to execute queries. ### Does this PR introduce any user-facing change? A new JDBC connection URL property has been introduced: enableCanonicalHostnameCheck to be able to turn off the canonical host name checking. Its default value is true so if it is not set the canonical host name is checked when building up the SSL connection. To turn off the canonical host name checking just add this property to the connection string, i.e: ``` ./beeline -u "jdbc:hive2://hs2.subdomain.example.com:443/default;transportMode=http;httpPath=cliservice;socketTimeout=60;ssl=true;retries=1;principal=myhiveprincipal/mydomain.example.com;enableCanonicalHostnameCheck=false;" ``` ### Was this patch authored or co-authored using generative AI tooling? No. Closes #7009 from turboFei/kerberos_can. Closes #7009 40cd488 [Wang, Fei] Backport HIVE-26723: Configurable canonical name checking. Authored-by: Wang, Fei <[email protected]> Signed-off-by: Cheng Pan <[email protected]> (cherry picked from commit 1937dd9) Signed-off-by: Cheng Pan <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
What changes were proposed in this pull request?
Hive JDBC client validates the host name by its canonical name by default. This behaviour leads to
SSLHandshakeExcpetionwhen trying to connect using alias name with Kerberos authentication. To solve this issue a new connection property is introduced to be able disabling canonical host name check:enableCanonicalHostnameCheckhaving default valuetrue.When the property is not given in connection string (or its value is true) then the original behaviour is applied i.e. checking canonical host name.
Why are the changes needed?
It is not possible to create SSL connection with Kerberos authentication when the server certificate is not issued to the canonical host name but to an alternative domain name.
See details about the exception and steps for reproducing in the JIRA#26723
Does this PR introduce any user-facing change?
A new JDBC connection URL property has been introduced:
enableCanonicalHostnameCheckto be able to turn off the canonical host name checking. Its default value istrueso if it is not set the canonical host name is checked when building up the SSL connection.To turn off the canonical host name checking just add this property to the connection string, i.e:
./beeline -u "jdbc:hive2://hs2.subdomain.example.com:443/default;transportMode=http;httpPath=cliservice;socketTimeout=60;ssl=true;retries=1;principal=myhiveprincipal/mydomain.example.com;enableCanonicalHostnameCheck=false;"How was this patch tested?
There are no new unit tests because the fix is in the
HiveConnectionconstructor which contains lot of logic inside and also builds new SSL connections.IMO it would have been far too much effort to mock the whole environment for creating unit tests against this tiny change. :(
There wasn't any already existing test against
HiveConnectionthat could be extended with this new feature/bugfix. It is misleading that there is a class having nameTestHiveConnectionbut there is no any tests that would test the classHiveConnectionitself.BTW It was tested manually: after this fix when the steps in JIRA are executed again using the new JARs then the SSL connection is created successfully, and I was able to execute queries.