From c01a99e2469cd2dc0305777755c00948e9766149 Mon Sep 17 00:00:00 2001 From: Fei Wang Date: Fri, 12 Jan 2024 13:44:47 -0800 Subject: [PATCH] refine --- .../jdbc/hive/JdbcConnectionParams.java | 1 + .../kyuubi/jdbc/hive/KyuubiConnection.java | 57 ++++++++++++++----- 2 files changed, 44 insertions(+), 14 deletions(-) diff --git a/kyuubi-hive-jdbc/src/main/java/org/apache/kyuubi/jdbc/hive/JdbcConnectionParams.java b/kyuubi-hive-jdbc/src/main/java/org/apache/kyuubi/jdbc/hive/JdbcConnectionParams.java index f1ab717a383..9aba2a813fa 100644 --- a/kyuubi-hive-jdbc/src/main/java/org/apache/kyuubi/jdbc/hive/JdbcConnectionParams.java +++ b/kyuubi-hive-jdbc/src/main/java/org/apache/kyuubi/jdbc/hive/JdbcConnectionParams.java @@ -52,6 +52,7 @@ public class JdbcConnectionParams { public static final String AUTH_KYUUBI_CLIENT_TICKET_CACHE = "kyuubiClientTicketCache"; public static final String AUTH_PASSWD = "password"; public static final String AUTH_KERBEROS_AUTH_TYPE = "kerberosAuthType"; + public static final String AUTH_KERBEROS_AUTH_TYPE_FROM_KEYTAB = "fromKeytab"; public static final String AUTH_KERBEROS_AUTH_TYPE_FROM_SUBJECT = "fromSubject"; public static final String AUTH_KERBEROS_AUTH_TYPE_FROM_TICKET_CACHE = "fromTicketCache"; public static final String ANONYMOUS_USER = "anonymous"; diff --git a/kyuubi-hive-jdbc/src/main/java/org/apache/kyuubi/jdbc/hive/KyuubiConnection.java b/kyuubi-hive-jdbc/src/main/java/org/apache/kyuubi/jdbc/hive/KyuubiConnection.java index 9c109c24ae9..f8f5cd81e85 100644 --- a/kyuubi-hive-jdbc/src/main/java/org/apache/kyuubi/jdbc/hive/KyuubiConnection.java +++ b/kyuubi-hive-jdbc/src/main/java/org/apache/kyuubi/jdbc/hive/KyuubiConnection.java @@ -847,30 +847,59 @@ private boolean isHadoopUserGroupInformationDoAs() { } } + private boolean isForciblyFromKeytabAuthMode() { + return AUTH_KERBEROS_AUTH_TYPE_FROM_KEYTAB.equalsIgnoreCase( + sessConfMap.get(AUTH_KERBEROS_AUTH_TYPE)); + } + + private boolean isForciblyFromSubjectAuthMode() { + return AUTH_KERBEROS_AUTH_TYPE_FROM_SUBJECT.equalsIgnoreCase( + sessConfMap.get(AUTH_KERBEROS_AUTH_TYPE)); + } + + private boolean isForciblyTgtCacheAuthMode() { + return AUTH_KERBEROS_AUTH_TYPE_FROM_TICKET_CACHE.equalsIgnoreCase( + sessConfMap.get(AUTH_KERBEROS_AUTH_TYPE)); + } + private boolean isKeytabAuthMode() { - return isSaslAuthMode() - && hasSessionValue(AUTH_PRINCIPAL) + // handle explicit cases first + if (isForciblyFromSubjectAuthMode() || isForciblyTgtCacheAuthMode()) { + return false; + } + if (isKerberosAuthMode() && isForciblyFromKeytabAuthMode()) { + return true; + } + // handle implicit cases then + return isKerberosAuthMode() && hasSessionValue(AUTH_KYUUBI_CLIENT_PRINCIPAL) && hasSessionValue(AUTH_KYUUBI_CLIENT_KEYTAB); } private boolean isFromSubjectAuthMode() { - return isSaslAuthMode() - && hasSessionValue(AUTH_PRINCIPAL) - && !hasSessionValue(AUTH_KYUUBI_CLIENT_PRINCIPAL) + // handle explicit cases first + if (isForciblyFromKeytabAuthMode() || isForciblyTgtCacheAuthMode()) { + return false; + } + if (isKerberosAuthMode() && isForciblyFromSubjectAuthMode()) { + return true; + } + // handle implicit cases then + return isKerberosAuthMode() && !hasSessionValue(AUTH_KYUUBI_CLIENT_KEYTAB) - && (AUTH_KERBEROS_AUTH_TYPE_FROM_SUBJECT.equalsIgnoreCase( - sessConfMap.get(AUTH_KERBEROS_AUTH_TYPE)) - || (!AUTH_KERBEROS_AUTH_TYPE_FROM_TICKET_CACHE.equalsIgnoreCase( - sessConfMap.get(AUTH_KERBEROS_AUTH_TYPE)) - && isHadoopUserGroupInformationDoAs())); + && isHadoopUserGroupInformationDoAs(); } private boolean isTgtCacheAuthMode() { - return isSaslAuthMode() - && hasSessionValue(AUTH_PRINCIPAL) - && !hasSessionValue(AUTH_KYUUBI_CLIENT_PRINCIPAL) - && !hasSessionValue(AUTH_KYUUBI_CLIENT_KEYTAB); + // handle explicit cases first + if (isForciblyFromKeytabAuthMode() || isForciblyFromSubjectAuthMode()) { + return false; + } + if (isKerberosAuthMode() && isForciblyTgtCacheAuthMode()) { + return true; + } + // handle implicit cases then + return isKerberosAuthMode() && !hasSessionValue(AUTH_KYUUBI_CLIENT_KEYTAB); } private boolean isPlainSaslAuthMode() {