[
https://issues.apache.org/jira/browse/HIVE-26723?focusedWorklogId=825690&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-825690
]
ASF GitHub Bot logged work on HIVE-26723:
-----------------------------------------
Author: ASF GitHub Bot
Created on: 14/Nov/22 10:16
Start Date: 14/Nov/22 10:16
Worklog Time Spent: 10m
Work Description: abstractdog merged PR #3749:
URL: https://github.com/apache/hive/pull/3749
Issue Time Tracking
-------------------
Worklog Id: (was: 825690)
Time Spent: 1h (was: 50m)
> JDBC - Configurable canonical name checking for Kerberos
> --------------------------------------------------------
>
> Key: HIVE-26723
> URL: https://issues.apache.org/jira/browse/HIVE-26723
> Project: Hive
> Issue Type: Bug
> Reporter: János Schmidt
> Assignee: János Schmidt
> Priority: Major
> Labels: pull-request-available
> Fix For: 4.0.0-alpha-2
>
> Time Spent: 1h
> Remaining Estimate: 0h
>
> h1. Probelm
> Hive JDBC converts the host name from connection string to the canonical
> name. In some use cases this behaviour leads to an `SSLHandshakeExcpetion`
> because the certificate of Hive server is not issued for the canonical host
> name but for an alias.
> h1. Context
> * Hive server 2 is deployed into an Kubernetes/Openshift cluster having name
> hs2.subdomain.example.com ()
> * a wildcard certificate for a subdomain is added to the Java cacerts. i.e.
> *.subdomain.example.com
> * hive-beeline-3.1.3000.2022.0.8.0-3.jar
> * hive-jdbc-3.1.3000.2022.0.8.0-3.jar
> * open a Kerberos authenticated connection
>
> h1. Steps to reproduce
> {code:bash}
> JAVA_TOOL_OPTIONS="-Djava.security.auth.login.config=gss-jaas.conf
> -Dsun.security.jgss.debug=true
> -Djavax.security.auth.useSubjectCredsOnly=false" ./beeline -u
> "jdbc:hive2://hs2.subdomain.example.com:443/default;transportMode=http;httpPath=cliservice;socketTimeout=60;ssl=true;retries=1;principal=myhiveprincipal/mydomain.example.com"
> --verbose=true
> HADOOP_HOME not set, executing beeline using JAVA
> Picked up JAVA_TOOL_OPTIONS: -Djava.security.auth.login.config=gss-jaas.conf
> -Dsun.security.jgss.debug=true -Djavax.security.auth.useSubjectCredsOnly=false
> !connect
> jdbc:hive2://hs2.subdomain.example.com:443/default;transportMode=http;httpPath=cliservice;socketTimeout=60;ssl=true;retries=1;principal=myhiveprincipal/mydomain.example.com
> '' [passwd stripped]
> Connecting to
> jdbc:hive2://hs2.subdomain.example.com:443/default;transportMode=http;httpPath=cliservice;socketTimeout=60;ssl=true;retries=1;principal=myhiveprincipal/mydomain.example.com
> Search Subject for Kerberos V5 INIT cred (<<DEF>>,
> sun.security.jgss.krb5.Krb5InitCredential)
> Error: Could not open client transport with JDBC Uri:
> jdbc:hive2://hs2.subdomain.example.com:443/default;transportMode=http;httpPath=cliservice;socketTimeout=60;ssl=true;retries=1;principal=myhiveprincipal/mydomain.example.com:
> Could not establish connection to
> jdbc:hive2://hs2.subdomain.example.com:443/default;transportMode=http;httpPath=cliservice;socketTimeout=60;ssl=true;retries=1;principal=myhiveprincipal/mydomain.example.com:
> javax.net.ssl.SSLHandshakeException: Remote host terminated the handshake
> (state=08S01,code=0)
> java.sql.SQLException: Could not open client transport with JDBC Uri:
> jdbc:hive2://hs2.subdomain.example.com:443/default;transportMode=http;httpPath=cliservice;socketTimeout=60;ssl=true;retries=1;principal=myhiveprincipal/mydomain.example.com:
> Could not establish connection to
> jdbc:hive2://hs2.subdomain.example.com:443/default;transportMode=http;httpPath=cliservice;socketTimeout=60;ssl=true;retries=1;principal=myhiveprincipal/mydomain.example.com:
> javax.net.ssl.SSLHandshakeException: Remote host terminated the handshake
> at org.apache.hive.jdbc.HiveConnection.<init>(HiveConnection.java:406)
> at org.apache.hive.jdbc.HiveConnection.<init>(HiveConnection.java:280)
> at org.apache.hive.jdbc.HiveDriver.connect(HiveDriver.java:107)
> at java.sql.DriverManager.getConnection(DriverManager.java:664)
> at java.sql.DriverManager.getConnection(DriverManager.java:208)
> at
> org.apache.hive.beeline.DatabaseConnection.connect(DatabaseConnection.java:145)
> at
> org.apache.hive.beeline.DatabaseConnection.getConnection(DatabaseConnection.java:209)
> at org.apache.hive.beeline.Commands.connect(Commands.java:1680)
> at org.apache.hive.beeline.Commands.connect(Commands.java:1574)
> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
> at
> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
> at
> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
> at java.lang.reflect.Method.invoke(Method.java:498)
> at
> org.apache.hive.beeline.ReflectiveCommandHandler.execute(ReflectiveCommandHandler.java:56)
> at
> org.apache.hive.beeline.BeeLine.execCommandWithPrefix(BeeLine.java:1463)
> at org.apache.hive.beeline.BeeLine.dispatch(BeeLine.java:1502)
> at org.apache.hive.beeline.BeeLine.connectUsingArgs(BeeLine.java:922)
> at org.apache.hive.beeline.BeeLine.initArgs(BeeLine.java:804)
> at org.apache.hive.beeline.BeeLine.begin(BeeLine.java:1115)
> at org.apache.hive.beeline.BeeLine.begin(BeeLine.java:1089)
> at
> org.apache.hive.beeline.BeeLine.mainWithInputRedirection(BeeLine.java:547)
> at org.apache.hive.beeline.BeeLine.main(BeeLine.java:529)
> Caused by: java.sql.SQLException: Could not establish connection to
> jdbc:hive2://hs2.subdomain.example.com:443/default;transportMode=http;httpPath=cliservice;socketTimeout=60;ssl=true;retries=1;principal=myhiveprincipal/mydomain.example.com;xenableCanonicalHostnameCheck=false:
> javax.net.ssl.SSLHandshakeException: Remote host terminated the handshake
> at
> org.apache.hive.jdbc.HiveConnection.openSession(HiveConnection.java:1115)
> at org.apache.hive.jdbc.HiveConnection.<init>(HiveConnection.java:378)
> ... 21 more
> Caused by: org.apache.thrift.transport.TTransportException:
> javax.net.ssl.SSLHandshakeException: Remote host terminated the handshake
> at
> org.apache.thrift.transport.THttpClient.flushUsingHttpClient(THttpClient.java:297)
> at org.apache.thrift.transport.THttpClient.flush(THttpClient.java:316)
> at org.apache.thrift.TServiceClient.sendBase(TServiceClient.java:73)
> at org.apache.thrift.TServiceClient.sendBase(TServiceClient.java:62)
> at
> org.apache.hive.service.rpc.thrift.TCLIService$Client.send_OpenSession(TCLIService.java:143)
> at
> org.apache.hive.service.rpc.thrift.TCLIService$Client.OpenSession(TCLIService.java:135)
> at
> org.apache.hive.jdbc.HiveConnection.openSession(HiveConnection.java:1169)
> at
> org.apache.hive.jdbc.HiveConnection.openSession(HiveConnection.java:1100)
> ... 22 more
> Caused by: javax.net.ssl.SSLHandshakeException: Remote host terminated the
> handshake
> at sun.security.ssl.SSLSocketImpl.handleEOF(SSLSocketImpl.java:1575)
> at sun.security.ssl.SSLSocketImpl.decode(SSLSocketImpl.java:1405)
> at
> sun.security.ssl.SSLSocketImpl.readHandshakeRecord(SSLSocketImpl.java:1305)
> at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:440)
> at
> org.apache.http.conn.ssl.SSLConnectionSocketFactory.createLayeredSocket(SSLConnectionSocketFactory.java:436)
> at
> org.apache.http.conn.ssl.SSLConnectionSocketFactory.connectSocket(SSLConnectionSocketFactory.java:384)
> at
> org.apache.http.impl.conn.DefaultHttpClientConnectionOperator.connect(DefaultHttpClientConnectionOperator.java:142)
> at
> org.apache.http.impl.conn.BasicHttpClientConnectionManager.connect(BasicHttpClientConnectionManager.java:313)
> at
> org.apache.http.impl.execchain.MainClientExec.establishRoute(MainClientExec.java:393)
> at
> org.apache.http.impl.execchain.MainClientExec.execute(MainClientExec.java:236)
> at
> org.apache.http.impl.execchain.ProtocolExec.execute(ProtocolExec.java:186)
> at org.apache.http.impl.execchain.RetryExec.execute(RetryExec.java:89)
> at
> org.apache.http.impl.execchain.ServiceUnavailableRetryExec.execute(ServiceUnavailableRetryExec.java:85)
> at
> org.apache.http.impl.execchain.RedirectExec.execute(RedirectExec.java:110)
> at
> org.apache.http.impl.client.InternalHttpClient.doExecute(InternalHttpClient.java:185)
> at
> org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:118)
> at
> org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:56)
> at
> org.apache.thrift.transport.THttpClient.flushUsingHttpClient(THttpClient.java:251)
> ... 29 more
> Caused by: java.io.EOFException: SSL peer shut down incorrectly
> at
> sun.security.ssl.SSLSocketInputRecord.decode(SSLSocketInputRecord.java:167)
> at sun.security.ssl.SSLTransport.decode(SSLTransport.java:109)
> at sun.security.ssl.SSLSocketImpl.decode(SSLSocketImpl.java:1397)
> ... 45 more
> {code}
>
> h1. Deep dive
> When _*javax.net.debug*_ is set to {_}*all*{_}, then we can see that the
> canonical host name is used at certificate validation.
> {code:bash}
> JAVA_TOOL_OPTIONS="-Djava.security.auth.login.config=gss-jaas.conf
> -Dsun.security.jgss.debug=true
> -Djavax.security.auth.useSubjectCredsOnly=false -Djavax.net.debug=all"
> ./beeline -u
> "jdbc:hive2://hs2.subdomain.example.com:443/default;transportMode=http;httpPath=cliservice;socketTimeout=60;ssl=true;retries=1;principal=myhiveprincipal/mydomain.example.com"
> --verbose=true
> ...
> "compression methods" : "00",
> "extensions" : [
> "server_name (0)": {
> type=host_name (0), value=canonicalhostname.example.com
> },
> "supported_groups (10)": {
> "versions": [secp256r1, secp384r1, secp521r1, ffdhe2048, ffdhe3072,
> ffdhe4096, ffdhe6144, ffdhe8192]
> },
> ... {code}
>
>
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
