Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[KYUUBI #1262] Support both KERBEROS and PLAIN authentication at the same time #1266

Closed
wants to merge 27 commits into from
Closed

[KYUUBI #1262] Support both KERBEROS and PLAIN authentication at the same time #1266

wants to merge 27 commits into from

Conversation

turboFei
Copy link
Member

@turboFei turboFei commented Oct 20, 2021
edited
Loading

Why are the changes needed?

Support both KERBEROS and PLAIN authentication at the same time.

How was this patch tested?

Added UT & IT.
I make integration testing on our dev cluster with KERBEROS and CUSTOM authentication.

kyuubi.authentication	KERBEROS,CUSTOM
kyuubi.authentication.custom.class=org.apache.kyuubi.ZeusCustom

For org.apache.kyuubi.ZeusCustom, it checks whether the user equals password.

package org.apache.kyuubi

import javax.security.sasl.AuthenticationException

import org.apache.kyuubi.service.authentication.PasswdAuthenticationProvider

class ZeusCustom
  extends PasswdAuthenticationProvider with Logging {

  override def authenticate(user: String, password: String): Unit = {
    if (user == password) {
      info(s"Success log in of user: $user")
    } else {
      throw new AuthenticationException("Username or password is not valid!")
    }
  }
}

  1. kerberos testing with user b_zeus
    image

  2. CUTOM authentication testing with user b_zeus
    image

Note that: they share the same backend spark engine, because they are the same user.

@turboFei turboFei marked this pull request as draft October 20, 2021 09:16
@yaooqinn yaooqinn added this to the v1.4.0 milestone Oct 20, 2021
@turboFei turboFei force-pushed the multiple_auth_KYUUBI-1262 branch from eeef9b5 to ac8b195 Compare October 20, 2021 10:22
@turboFei turboFei force-pushed the multiple_auth_KYUUBI-1262 branch from ff6bfd9 to c00e054 Compare October 21, 2021 14:16
@turboFei turboFei force-pushed the multiple_auth_KYUUBI-1262 branch from c00e054 to 1aa30a5 Compare October 21, 2021 14:40
@turboFei turboFei marked this pull request as ready for review October 23, 2021 07:45
@turboFei turboFei requested review from pan3793 and yaooqinn and removed request for pan3793 October 23, 2021 07:46
@pan3793
Copy link
Member

pan3793 commented Oct 23, 2021

#642 introduces a UserDefineAuthenticationProviderImpl, can we use it for UTs?

@turboFei turboFei force-pushed the multiple_auth_KYUUBI-1262 branch from 72e55d6 to 8545a03 Compare October 23, 2021 08:30
@codecov-commenter
Copy link

codecov-commenter commented Oct 23, 2021
edited
Loading

Codecov Report

Merging #1266 (71053ae) into master (d0d5fb6) will increase coverage by 5.19%.
The diff coverage is 83.78%.

Impacted file tree graph

@@             Coverage Diff              @@
##             master    #1266      +/-   ##
============================================
+ Coverage     73.10%   78.30%   +5.19%     
- Complexity       41      110      +69     
============================================
  Files           175      177       +2     
  Lines          6846     7103     +257     
  Branches        835      872      +37     
============================================
+ Hits           5005     5562     +557     
+ Misses         1441     1061     -380     
- Partials        400      480      +80
Impacted Files Coverage Δ
...org/apache/kyuubi/ha/client/ServiceDiscovery.scala 40.71% <0.00%> (ø)
...e/authentication/KyuubiAuthenticationFactory.scala 78.43% <81.48%> (+0.93%) ⬆️
...in/scala/org/apache/kyuubi/config/KyuubiConf.scala 95.11% <100.00%> (-0.13%) ⬇️
...yuubi/service/authentication/PlainSASLHelper.scala 86.66% <100.00%> (+0.30%) ⬆️
...che/kyuubi/ha/client/ZooKeeperClientProvider.scala 70.17% <0.00%> (-11.88%) ⬇️
...uubi/engine/spark/events/SparkStatementEvent.scala 76.47% <0.00%> (-6.87%) ⬇️
...ache/kyuubi/engine/spark/SparkProcessBuilder.scala 86.86% <0.00%> (-2.91%) ⬇️
.../scala/org/apache/spark/kyuubi/ui/EnginePage.scala 78.91% <0.00%> (-1.86%) ⬇️
...n/scala/org/apache/kyuubi/engine/ProcBuilder.scala 89.89% <0.00%> (-1.02%) ⬇️
...uubi/engine/spark/operation/ExecuteStatement.scala 85.05% <0.00%> (-0.83%) ⬇️
... and 21 more

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update d0d5fb6...71053ae. Read the comment docs.

@turboFei turboFei force-pushed the multiple_auth_KYUUBI-1262 branch from 294c43f to 8dadfd3 Compare October 23, 2021 12:01
@turboFei turboFei force-pushed the multiple_auth_KYUUBI-1262 branch 2 times, most recently from e37cc09 to 1945c34 Compare October 23, 2021 15:35
@turboFei turboFei force-pushed the multiple_auth_KYUUBI-1262 branch from 1945c34 to 4fc6308 Compare October 23, 2021 15:53
@turboFei turboFei changed the title [KYUUBI #1262] Support multiple kinds of SASL authentication type [KYUUBI #1262] Support both KERBEROS and PLAIN authentication at the same time Oct 24, 2021
@turboFei turboFei self-assigned this Oct 24, 2021
@turboFei
Copy link
Member Author

it is ready now. cc @pan3793

@turboFei turboFei requested a review from pan3793 October 25, 2021 04:21
@pan3793
Copy link
Member

pan3793 commented Oct 25, 2021

Thanks, merging to master

@pan3793 pan3793 closed this in 24cf1bd Oct 25, 2021
@turboFei turboFei mentioned this pull request Oct 25, 2021
Closed
pan3793 pushed a commit that referenced this pull request Oct 25, 2021
@turboFei @pan3793
[KYUUBI #1291] [TEST] Transfer KRB5_CONF to kinit and fix kerberos UT…
99934e8 
… on macOS

### _Why are the changes needed?_
1. transfer KRB5_CONF of KyuubiServer to kinit process in case the system KRB5_CONF is not same with `java.security.krb5.conf` of KyuubiServer JVM.
2. The UT with kerberos enabled KyuubiServer can not pass on osx environment, such as `KyuubiOperationKerberosAndPlainAuthSuite` (#1266). For the root cause, see details in https://stackoverflow.com/questions/27053539/openldap-kerberos-unable-to-reach-any-kdc-in-realm

### _How was this patch tested?_
`KyuubiOperationKerberosAndPlainAuthSuite` can pass on my MacBook, without this PR, it will fail on MacBook.

Closes #1291 from turboFei/kinit_ut.

Closes #1291

f006054 [fwang12] complete KRB5_CONFIG
859538c [fwang12] Make kerberos enabled kyuubi server unit test runnable for osx environment

Authored-by: fwang12 <fwang12@ebay.com>
Signed-off-by: Cheng Pan <chengpan@apache.org>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@pan3793 pan3793 pan3793 approved these changes

@yaooqinn yaooqinn yaooqinn approved these changes

Assignees

@turboFei turboFei

Labels
release highlight
Projects
None yet
Milestone
v1.4.0
Development

Successfully merging this pull request may close these issues.
4 participants
@turboFei @pan3793 @codecov-commenter @yaooqinn