我的书签
添加书签
移除书签Kyuubi supports authentication via JDBC query. A query is prepared with user/password value and sent to the database configured in JDBC URL. Authentication passes if the result set is not empty.
The SQL statement must start with the SELECT clause. Placeholders are supported and listed below for substitution:
${user}${password}
For example, SELECT 1 FROM auth_db.auth_table WHERE user=${user} AND
passwd=MD5(CONCAT(salt,${password})) will be prepared as SELECT 1 FROM auth_db.auth_table WHERE user=? AND passwd=MD5(CONCAT(salt,?)) with value replacement of user and password in string type.
Enable JDBC Authentication
To enable the JDBC authentication method, we need to
- Put the JDBC driver jar file to
$KYUUBI_HOME/jarsdirectory to make it visible for the classpath of the kyuubi server. - Configure the following properties to
$KYUUBI_HOME/conf/kyuubi-defaults.confon each node where kyuubi server is installed.
Configure the authentication properties
Configure the following properties to $KYUUBI_HOME/conf/kyuubi-defaults.conf on each node where kyuubi server is installed.
kyuubi.authentication=JDBCkyuubi.authentication.jdbc.driver.class = com.mysql.jdbc.Driverkyuubi.authentication.jdbc.url = jdbc:mysql://127.0.0.1:3306/auth_dbkyuubi.authentication.jdbc.user = bowenliang123kyuubi.authentication.jdbc.password = bowenliang123@kyuubikyuubi.authentication.jdbc.query = SELECT 1 FROM auth_table WHERE user=${user} AND passwd=MD5(CONCAT(salt,${password}))
Authentication with In-memory Database
Used with auto created in-memory database, JDBC authentication could be applied for token validation without starting up a dedicated database service or setting up a custom plugin.
Consider authentication for a pair of a username and a token which contacted with an expire_time in ‘yyyyMMddHHmm’ format and a MD5 signature generated with sequence of expire_time, username and a secret key. With the following example, an H2 in-memory database will be auto crated with Kyuubi Server and used for authentication with its system function HASH and checking token expire time with NOW().
kyuubi.authentication=JDBCkyuubi.authentication.jdbc.driver.class = org.h2.Driverkyuubi.authentication.jdbc.url = jdbc:h2:mem:kyuubi.authentication.jdbc.user = no_userkyuubi.authentication.jdbc.query = SELECT 1 FROM ( \SELECT ${user} as username, 'secret_key' as secret_key, \SUBSTRING(${password}, 0, 12) as expire_time, \SUBSTRING(${password}, 13) as signed \) WHERE signed = RAWTOHEX(HASH('MD5', CONCAT(secret_key, username, expire_time))) \AND PARSEDATETIME(expire_time,'yyyyMMddHHmm') > NOW()
