Backport HIVE-26723: Configurable canonical name checking. #7009
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
pan3793
approved these changes
Apr 1, 2025
Member
pan3793
left a comment
pan3793
left a comment
There was a problem hiding this comment.
It's a clean backport from upstream Hive, LGTM
pan3793
pushed a commit
that referenced
this pull request
Apr 1, 2025
…ing. ### Why are the changes needed? Backport apache/hive#3749 It is not possible to create SSL connection with Kerberos authentication when the server certificate is not issued to the canonical host name but to an alternative domain name. See details about the exception and steps for reproducing in the [HIVE-26723](https://issues.apache.org/jira/browse/HIVE-26723) Hive JDBC client validates the host name by its canonical name by default. This behaviour leads to SSLHandshakeExcpetion when trying to connect using alias name with Kerberos authentication. To solve this issue a new connection property is introduced to be able disabling canonical host name check: enableCanonicalHostnameCheck having default value true. When the property is not given in connection string (or its value is true) then the original behaviour is applied i.e. checking canonical host name. ### How was this patch tested? There are no new unit tests because the fix is in the HiveConnection constructor which contains lot of logic inside and also builds new SSL connections. IMO it would have been far too much effort to mock the whole environment for creating unit tests against this tiny change. :( There wasn't any already existing test against HiveConnection that could be extended with this new feature/bugfix. It is misleading that there is a class having name TestHiveConnection but there is no any tests that would test the class HiveConnection itself. BTW It was tested manually: after this fix when the steps in JIRA are executed again using the new JARs then the SSL connection is created successfully, and I was able to execute queries. ### Does this PR introduce any user-facing change? A new JDBC connection URL property has been introduced: enableCanonicalHostnameCheck to be able to turn off the canonical host name checking. Its default value is true so if it is not set the canonical host name is checked when building up the SSL connection. To turn off the canonical host name checking just add this property to the connection string, i.e: ``` ./beeline -u "jdbc:hive2://hs2.subdomain.example.com:443/default;transportMode=http;httpPath=cliservice;socketTimeout=60;ssl=true;retries=1;principal=myhiveprincipal/mydomain.example.com;enableCanonicalHostnameCheck=false;" ``` ### Was this patch authored or co-authored using generative AI tooling? No. Closes #7009 from turboFei/kerberos_can. Closes #7009 40cd488 [Wang, Fei] Backport HIVE-26723: Configurable canonical name checking. Authored-by: Wang, Fei <[email protected]> Signed-off-by: Cheng Pan <[email protected]> (cherry picked from commit 1937dd9) Signed-off-by: Cheng Pan <[email protected]>
Member
|
Merged to master/1.10.2 |
Codecov ReportAttention: Patch coverage is
Additional details and impacted files@@ Coverage Diff @@
## master #7009 +/- ##
======================================
Coverage 0.00% 0.00%
======================================
Files 693 694 +1
Lines 42735 42748 +13
Branches 5816 5819 +3
======================================
- Misses 42735 42748 +13 ☔ View full report in Codecov by Sentry. 🚀 New features to boost your workflow:
|
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Why are the changes needed?
Backport apache/hive#3749
It is not possible to create SSL connection with Kerberos authentication when the server certificate is not issued to the canonical host name but to an alternative domain name.
See details about the exception and steps for reproducing in the HIVE-26723
Hive JDBC client validates the host name by its canonical name by default. This behaviour leads to SSLHandshakeExcpetion when trying to connect using alias name with Kerberos authentication. To solve this issue a new connection property is introduced to be able disabling canonical host name check: enableCanonicalHostnameCheck having default value true.
When the property is not given in connection string (or its value is true) then the original behaviour is applied i.e. checking canonical host name.
How was this patch tested?
There are no new unit tests because the fix is in the HiveConnection constructor which contains lot of logic inside and also builds new SSL connections.
IMO it would have been far too much effort to mock the whole environment for creating unit tests against this tiny change. :(
There wasn't any already existing test against HiveConnection that could be extended with this new feature/bugfix. It is misleading that there is a class having name TestHiveConnection but there is no any tests that would test the class HiveConnection itself.
BTW It was tested manually: after this fix when the steps in JIRA are executed again using the new JARs then the SSL connection is created successfully, and I was able to execute queries.
Does this PR introduce any user-facing change?
A new JDBC connection URL property has been introduced: enableCanonicalHostnameCheck to be able to turn off the canonical host name checking. Its default value is true so if it is not set the canonical host name is checked when building up the SSL connection.
To turn off the canonical host name checking just add this property to the connection string, i.e:
Was this patch authored or co-authored using generative AI tooling?
No.