Kyuubi supports authentication via JDBC query. A query is prepared with user/password value and sent to the database configured in JDBC URL. Authentication passes if the result set is not empty.

The SQL statement must start with the SELECT clause. Placeholders are supported and listed below for substitution:

  • ${user}
  • ${password}

For example, SELECT 1 FROM auth_db.auth_table WHERE user=${user} AND passwd=MD5(CONCAT(salt,${password})) will be prepared as SELECT 1 FROM auth_db.auth_table WHERE user=? AND passwd=MD5(CONCAT(salt,?)) with value replacement of user and password in string type.

Enable JDBC Authentication

To enable the JDBC authentication method, we need to

  • Put the JDBC driver jar file to $KYUUBI_HOME/jars directory to make it visible for the classpath of the kyuubi server.
  • Configure the following properties to $KYUUBI_HOME/conf/kyuubi-defaults.conf on each node where kyuubi server is installed.

Configure the authentication properties

Configure the following properties to $KYUUBI_HOME/conf/kyuubi-defaults.conf on each node where kyuubi server is installed.

  1. kyuubi.authentication=JDBC
  2. kyuubi.authentication.jdbc.driver.class = com.mysql.jdbc.Driver
  3. kyuubi.authentication.jdbc.url = jdbc:mysql://127.0.0.1:3306/auth_db
  4. kyuubi.authentication.jdbc.user = bowenliang123
  5. kyuubi.authentication.jdbc.password = bowenliang123@kyuubi
  6. kyuubi.authentication.jdbc.query = SELECT 1 FROM auth_table WHERE user=${user} AND passwd=MD5(CONCAT(salt,${password}))

Authentication with In-memory Database

Used with auto created in-memory database, JDBC authentication could be applied for token validation without starting up a dedicated database service or setting up a custom plugin.

Consider authentication for a pair of a username and a token which contacted with an expire_time in ‘yyyyMMddHHmm’ format and a MD5 signature generated with sequence of expire_time, username and a secret key. With the following example, an H2 in-memory database will be auto crated with Kyuubi Server and used for authentication with its system function HASH and checking token expire time with NOW().

  1. kyuubi.authentication=JDBC
  2. kyuubi.authentication.jdbc.driver.class = org.h2.Driver
  3. kyuubi.authentication.jdbc.url = jdbc:h2:mem:
  4. kyuubi.authentication.jdbc.user = no_user
  5. kyuubi.authentication.jdbc.query = SELECT 1 FROM ( \
  6. SELECT ${user} as username, 'secret_key' as secret_key, \
  7. SUBSTRING(${password}, 0, 12) as expire_time, \
  8. SUBSTRING(${password}, 13) as signed \
  9. ) WHERE signed = RAWTOHEX(HASH('MD5', CONCAT(secret_key, username, expire_time))) \
  10. AND PARSEDATETIME(expire_time,'yyyyMMddHHmm') > NOW()