trino icon indicating copy to clipboard operation
trino copied to clipboard

Published 20 hours ago verified publisher icon trinodb

Allow configuring credential-cache for kerberized hive connector

Open Praveen2112 opened this issue 2 years ago • 0 comments

Description

This allows us deploy hive connector in a keytab less environment where the credentials are fetched from credential cache file.

Is this change a fix, improvement, new feature, refactoring, or other?

New feature for Hive and iceberg connector.

Is this a change to the core query engine, a connector, client library, or the SPI interfaces? (be specific)

This is specific to hive connector and iceberg connector.

How would you describe this change to a non-technical end user or system administrator?

This allows us deploy hive connector in a keytab less environment where the credentials are fetched from credential cache file.

Related issues, pull requests, and links

Documentation

( ) No documentation is needed. ( ) Sufficient documentation is included in this PR. (x) Documentation PR is available with #prnumber. ( ) Documentation issue #issuenumber is filed, and can be handled later.

Release notes

( ) No release notes entries required. (x) Release notes entries required with the following suggested text:

# Section
* Allow configuring credential-cache for kerberized hive connector

Praveen2112 avatar Aug 03 '22 14:08 Praveen2112

@wendigo / @kokosing / @s2lomon Have rebased it due to logical conflict. Addressed additional comments.

Praveen2112 avatar Aug 16 '22 09:08 Praveen2112

@wendigo / @kokosing Added tests and applied comments.

Praveen2112 avatar Aug 19 '22 10:08 Praveen2112

CI is red

kokosing avatar Aug 22 '22 10:08 kokosing

@wendigo / @kokosing / @s2lomon We made one change in KerberosConfiguration - We enable storeKey - if keyTab is configured and credential-cache is not configured. (As TGT is fetched from Credential Cache, then the KeyTab will not be loaded, and we would get a LoginException stating 'No key to store'.). Is this the correct approach or should we restrict keyTab or credentialCache cannot be configured at the same time.

Praveen2112 avatar Aug 24 '22 09:08 Praveen2112

should we restrict keyTab or credentialCache cannot be configured at the same time.

I would start with this approach. It sounds that we could relax that in future when we learn about the use case. Configuring these two things is kind of misleading and I am not sure what user really wants.

kokosing avatar Aug 24 '22 11:08 kokosing

I agree with @kokosing on this

wendigo avatar Aug 24 '22 11:08 wendigo

@wendigo / @kokosing / @s2lomon AC

Praveen2112 avatar Aug 25 '22 09:08 Praveen2112

@Praveen2112 the template suggests there's another PR with docs for this change, but I can't find it. Could you link?

Also, what section should the release note go into?

colebow avatar Aug 29 '22 18:08 colebow

I'm working on the PR for docs.

The release notes should be part of Hive connector.

Praveen2112 avatar Aug 31 '22 13:08 Praveen2112