Skip to content

Commit

Permalink
[KYUUBI #3705] Add docs for JDBC authentication usage with in-memory …
Browse files Browse the repository at this point in the history 
…database

### _Why are the changes needed?_

to close #3705 .

Add docs for JDBC authentication usage with in-memory database with config example for token validation example.

### _How was this patch tested?_
- [ ] Add some test cases that check the changes thoroughly including negative and positive cases if possible

- [ ] Add screenshots for manual tests if appropriate

- [x] [Run test](https://kyuubi.apache.org/docs/latest/develop_tools/testing.html#running-tests) locally before make a pull request

Closes #3706 from bowenliang123/jdbc-inmem.

Closes #3705

3de9bce [Bowen Liang] use backslash for multi-line config value
26a4d1b [Bowen Liang] nit
e078e98 [Bowen Liang] add JDBC auth usage with in-memory db for token validation
67624fa [liangbowen] init jdbc inmem doc

Lead-authored-by: Bowen Liang <liangbowen@gf.com.cn>
Co-authored-by: liangbowen <liangbowen@gf.com.cn>
Signed-off-by: Cheng Pan <chengpan@apache.org>
(cherry picked from commit 738e351)
Signed-off-by: Cheng Pan <chengpan@apache.org>
  • Loading branch information
@bowenliang123 @pan3793
bowenliang123 authored and pan3793 committed Oct 27, 2022
1 parent 3cad86b commit cbea330
Showing 1 changed file with 20 additions and 1 deletion.
21 changes: 20 additions & 1 deletion docs/security/jdbc.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -46,4 +46,23 @@ kyuubi.authentication.jdbc.url = jdbc:mysql://127.0.0.1:3306/auth_db
kyuubi.authentication.jdbc.user = bowenliang123
kyuubi.authentication.jdbc.password = bowenliang123@kyuubi
kyuubi.authentication.jdbc.query = SELECT 1 FROM auth_table WHERE user=${user} AND passwd=MD5(CONCAT(salt,${password}))
```
```

## Authentication with In-memory Database

Used with auto created in-memory database, JDBC authentication could be applied for token validation without starting up a dedicated database service or setting up a custom plugin.

Consider authentication for a pair of a username and a token which contacted with an `expire_time` in 'yyyyMMddHHmm' format and a MD5 signature generated with sequence of `expire_time`, `username` and a secret key. With the following example, an H2 in-memory database will be auto crated with Kyuubi Server and used for authentication with its system function `HASH` and checking token expire time with `NOW()`.

```properties
kyuubi.authentication=JDBC
kyuubi.authentication.jdbc.driver.class = org.h2.Driver
kyuubi.authentication.jdbc.url = jdbc:h2:mem:
kyuubi.authentication.jdbc.user = no_user
kyuubi.authentication.jdbc.query = SELECT 1 FROM ( \
SELECT ${user} as username, 'secret_key' as secret_key, \
SUBSTRING(${password}, 0, 12) as expire_time, \
SUBSTRING(${password}, 13) as signed \
) WHERE signed = RAWTOHEX(HASH('MD5', CONCAT(secret_key, username, expire_time))) \
AND PARSEDATETIME(expire_time,'yyyyMMddHHmm') > NOW()
```

0 comments on commit cbea330

Please sign in to comment.