Allow configuring credential-cache for kerberized hive connector

[Praveen2112]

Description

This allows us deploy hive connector in a keytab less environment where the credentials are fetched from credential cache file.

Is this change a fix, improvement, new feature, refactoring, or other?

New feature for Hive and iceberg connector.

Is this a change to the core query engine, a connector, client library, or the SPI interfaces? (be specific)

This is specific to hive connector and iceberg connector.

How would you describe this change to a non-technical end user or system administrator?

This allows us deploy hive connector in a keytab less environment where the credentials are fetched from credential cache file.

Related issues, pull requests, and links

Documentation

( ) No documentation is needed.
( ) Sufficient documentation is included in this PR.
(x) Documentation PR is available with #prnumber.
( ) Documentation issue #issuenumber is filed, and can be handled later.

Release notes

( ) No release notes entries required.
(x) Release notes entries required with the following suggested text:

# Section
* Allow using credential-cache for kerberized hive connector

[wendigo]

LGTM % comments

[kokosing]

looks good

[kokosing]

Can we use keytab together with cache? Do we need validation for this?

[Praveen2112]

Using a keytab along with cache is also a valid configuration. So I don't think we need a verification for it. Maybe we can add an additional config to check if either of them are present.

[kokosing]

Can we have a test for this then?

[Praveen2112]

Additional PT environment for both keytab with cache ?

[kokosing]

Yes. WDYT?

[Praveen2112]

then we need to multiply the tests. Instead of copying tests I think adding more environment would give us better coverage.

[kokosing]

You can make tests parametric

[Praveen2112]

It is also kind of tricky - if we are testing for group configured_features then we need to make all the tests parametric but some of them would run in a non-kerberos environment. So we need to duplicate them for kerberos and non-kerberos environment - or introduce some dummy catalogs to non-keberos environment.

[kokosing]

OK. So let's add new environment then.

[Praveen2112]

Added

[Praveen2112]

@wendigo / @kokosing / @s2lomon Have rebased it due to logical conflict. Addressed additional comments.

[s2lomon]

lgtm

[s2lomon]

Wow, I've not known that we can do that. So it's either null, or path to existing file correct?

[Praveen2112]

Yeah. And it applies check if the file exists.

[Praveen2112]

@wendigo / @kokosing Added tests and applied comments.

[kokosing]

CI is red

[kokosing]

Use HOST_NAME in these values to make it clear what you tests

[Praveen2112]

@wendigo / @kokosing / @s2lomon We made one change in KerberosConfiguration - We enable storeKey - if keyTab is configured and credential-cache is not configured. (As TGT is fetched from Credential Cache, then the KeyTab will not be loaded, and we would get a LoginException stating 'No key to store'.). Is this the correct approach or should we restrict keyTab or credentialCache cannot be configured at the same time.

[kokosing]

should we restrict keyTab or credentialCache cannot be configured at the same time.

I would start with this approach. It sounds that we could relax that in future when we learn about the use case. Configuring these two things is kind of misleading and I am not sure what user really wants.

[wendigo]

I agree with @kokosing on this

[Praveen2112]

@wendigo / @kokosing / @s2lomon AC

[s2lomon]

lgtm

[colebow]

@Praveen2112 the template suggests there's another PR with docs for this change, but I can't find it. Could you link?

Also, what section should the release note go into?

[Praveen2112]

I'm working on the PR for docs.

The release notes should be part of Hive connector.