HikariCP-4.0.3

修改HikariCP源码,使其连接池支持Kerberos认证

修改后的Hikari源码地址:https://github.com/Raray-chuan/HikariCP-4.0.3

Springboot使用hikari连接池并进行Kerberos认证访问Impala的demo地址:https://github.com/Raray-chuan/springboot-kerberos-hikari-impala

1. Java连接impala的Kerberos认证

import org.apache.hadoop.conf.Configuration;
import org.apache.hadoop.security.UserGroupInformation;import java.io.IOException;
import java.security.PrivilegedAction;
import java.sql.Connection;
import java.sql.DriverManager;
import java.sql.ResultSet;
import java.sql.Statement;
/*** @Author Xichuan* @Date 2022/10/28 17:53* @Description*/
public class TestKerberosImpala {public static final String KRB5_CONF = "D:\\development\\license_dll\\krb5.conf";public static final String PRINCIPAL = "xichuan/admin@XICHUAN.COM";public static final String KEYTAB = "D:\\development\\license_dll\\xichuan.keytab";public static String connectionUrl = "jdbc:impala://node01:21050/;AuthMech=1;KrbRealm=XICHUAN.COM;KrbHostFQDN=node01;KrbServiceName=impala";public static String jdbcDriverName = "com.cloudera.impala.jdbc41.Driver";public static void main(String[] args) throws Exception {UserGroupInformation loginUser = kerberosAuth(KRB5_CONF,KEYTAB,PRINCIPAL);int result = loginUser.doAs((PrivilegedAction<Integer>) () -> {int result1 = 0;try {Class.forName(jdbcDriverName);} catch (ClassNotFoundException e) {e.printStackTrace();}try (Connection con = DriverManager.getConnection(connectionUrl)) {Statement stmt = con.createStatement();ResultSet rs = stmt.executeQuery("SELECT count(1) FROM test_dws.dws_test_id");while (rs.next()) {result1 = rs.getInt(1);}stmt.close();con.close();} catch (Exception e) {e.printStackTrace();}return result1;});System.out.println("count: "+ result);}/*** kerberos authentication* @param krb5ConfPath* @param keyTabPath* @param principle* @return* @throws IOException*/public static UserGroupInformation kerberosAuth(String krb5ConfPath, String keyTabPath, String principle) throws IOException {System.setProperty("java.security.krb5.conf", krb5ConfPath);Configuration conf = new Configuration();conf.set("hadoop.security.authentication", "Kerberos");UserGroupInformation.setConfiguration(conf);UserGroupInformation loginInfo = UserGroupInformation.loginUserFromKeytabAndReturnUGI(principle, keyTabPath);if (loginInfo.hasKerberosCredentials()) {System.out.println("kerberos authentication success!");System.out.println("login user: "+loginInfo.getUserName());} else {System.out.println("kerberos authentication fail!");}return loginInfo;}
}

2. 解读源码，了解Hikari连接池如何保持Connection个数在一定数目上

1.在我们初始化Hikari Pool参数后，第一次调用com.zaxxer.hikari.HikariDataSource#getConnection()的时候，会进行初始化HikariPool，HikariPool正式管理Connection的类

2.进入com.zaxxer.hikari.pool.HikariPool#HikariPool类中，查看HikariPool如何初始化连接池的

HikariPool初始化的前面参数先不管，不是研究重点，看红框中，HikariPool会初始化一个HouseKeeper的线程，HouseKeeper的作用的是保持连接池的idle数据在一定的数目

3.进入com.zaxxer.hikari.pool.HikariPool.HouseKeeper类，看它如何是保持Connection的数据在一定的数据

我们可以看到，HouseKeeper是一个内部类，继续往下看代码，有一个fillPool()方法，看注解，这个方法可以保持连接数在一定数据上

4.进入com.zaxxer.hikari.pool.HikariPool#fillPool方法

从上图我们可以看出，此方法会判断pool是否需要新添加Connection，如果需要，则在pool中添加Connection。添加Connection方式是提交一个线程，我们直接看PoolEntryCreator如何添加Connection即可。下面只会跟踪Hikari最终创建Connection的代码地方，不会解释每个方法以及类的作用

5.跟踪代码，找到Hikari最终创建Connection的代码地方

进入com.zaxxer.hikari.pool.HikariPool.PoolEntryCreator类,

可以看出该线程会创建一个PoolEntry类，PoolEntry类就是用来保存Connection的.

继续进入com.zaxxer.hikari.pool.HikariPool#createPoolEntry方法，看如何创建PoolEntry类的

可以看出，创建PoolEntry是通过newPoolEntry()方法进行创建的

继续进入com.zaxxer.hikari.pool.PoolBase#newPoolEntry方法，看如何创建PoolEntry的

可以看出newPoolEntry()方法创建PoolEntry对象，是通过PoolEntry构造方法创建的，进入此构造方法，第一个参数就是Connection,那我们就需要进入newConnection()方法看此Connection是如何创建的

进入com.zaxxer.hikari.pool.PoolBase#newConnection方法

我们看出Connection的创建是通过dataSource.getConnection()来创建的，那这个dataSource的实现类是哪个？打断点可以看出是DriverDataSource类

进入com.zaxxer.hikari.util.DriverDataSource#getConnection()方法，查看Connection是如何创建的

可以看出创建connection是通过调用impala、mysql、h2等驱动包的接口创建的

6.总结

通过上面的源码跟踪，可以发现，创建Connection是在HikariPool类中的HouseKeeper线程中进行的。所以我们在com.zaxxer.hikari.HikariDataSource#getConnection()中，在HikariPool初始化的时候进行Kerberos认证是行不通的，因为Kerberos默认24小时就失效了; 但Kerberos失效后，HouseKeeper创建Connection的时候并没有再次认证。

所以我们思路可以是，修改hikari的源码，在com.zaxxer.hikari.util.DriverDataSource#getConnection()方法调用 driver.connect(jdbcUrl, driverProperties)之前认证即可。并且hikari连接池的max-lifetime参数要小于Kerberos的过期时长

3. 修改Hikari源码，使其支持Kerberos认证

3.1 修改HikariConfig类，添加Kerberos的四个参数

四个参数分别是:

authenticationType:安全验证的类型,如果值是"kerberos"，则进行Kerberos认证，如果为null，则不进行认证
krb5FilePath:krb5.conf文件的路径
principal:principal的名称
keytabPath:对应principal的keytab的路径

   //kerberos paramsprivate volatile String authenticationType;private volatile String krb5FilePath;private volatile String keytabPath;private volatile String principal;public String getAuthenticationType() {return authenticationType;}public void setAuthenticationType(String authenticationType) {this.authenticationType = authenticationType;}public String getKrb5FilePath() {return krb5FilePath;}public void setKrb5FilePath(String krb5FilePath) {this.krb5FilePath = krb5FilePath;}public String getKeytabPath() {return keytabPath;}public void setKeytabPath(String keytabPath) {this.keytabPath = keytabPath;}public String getPrincipal() {return principal;}public void setPrincipal(String principal) {this.principal = principal;}

3.2 在PoolBase类中初始化DriverDataSource的时候，添加Kerberos参数

  private void initializeDataSource(){final String jdbcUrl = config.getJdbcUrl();final String username = config.getUsername();final String password = config.getPassword();final String dsClassName = config.getDataSourceClassName();final String driverClassName = config.getDriverClassName();final String dataSourceJNDI = config.getDataSourceJNDI();final Properties dataSourceProperties = config.getDataSourceProperties();//add kerberos propertiesdataSourceProperties.setProperty("authenticationType",config.getAuthenticationType());dataSourceProperties.setProperty("keytabPath",config.getKeytabPath());dataSourceProperties.setProperty("krb5FilePath",config.getKrb5FilePath());dataSourceProperties.setProperty("principal",config.getPrincipal());DataSource ds = config.getDataSource();if (dsClassName != null && ds == null) {ds = createInstance(dsClassName, DataSource.class);PropertyElf.setTargetFromProperties(ds, dataSourceProperties);}else if (jdbcUrl != null && ds == null) {ds = new DriverDataSource(jdbcUrl, driverClassName, dataSourceProperties, username, password);}else if (dataSourceJNDI != null && ds == null) {try {InitialContext ic = new InitialContext();ds = (DataSource) ic.lookup(dataSourceJNDI);} catch (NamingException e) {throw new PoolInitializationException(e);}}if (ds != null) {setLoginTimeout(ds);createNetworkTimeoutExecutor(ds, dsClassName, jdbcUrl);}this.dataSource = ds;}

3.3 DriverDataSource类在getConnection()的时候进Kerberos认证

public final class DriverDataSource implements DataSource{......//kerberos paramsprivate String authenticationType = "";private String krb5FilePath;private String keytabPath;private String principal;public DriverDataSource(String jdbcUrl, String driverClassName, Properties properties, String username, String password) {this.jdbcUrl = jdbcUrl;this.driverProperties = new Properties();//init kerberos propertiesif (properties.getProperty("authenticationType") != null && properties.getProperty("authenticationType").equals("kerberos")){authenticationType = properties.getProperty("authenticationType");krb5FilePath = properties.getProperty("krb5FilePath");keytabPath = properties.getProperty("keytabPath");principal = properties.getProperty("principal");}...}......@Overridepublic Connection getConnection() throws SQLException {//if authenticationType=kerberos,it must be kerberos authentication first!if (authenticationType != null && authenticationType.equals("kerberos")){UserGroupInformation ugi = authentication();try {return ugi.doAs(new XichuanGenerateConnectionAction(jdbcUrl, driverProperties));} catch (IOException | InterruptedException e) {e.printStackTrace();}return null;}else{return driver.connect(jdbcUrl, driverProperties);}}@Overridepublic Connection getConnection(final String username, final String password) throws SQLException{final Properties cloned = (Properties) driverProperties.clone();if (username != null) {cloned.put(USER, username);if (cloned.containsKey("username")) {cloned.put("username", username);}}if (password != null) {cloned.put(PASSWORD, password);}//if authenticationType=kerberos,it must be kerberos authentication first!if (authenticationType != null && authenticationType.equals("kerberos")){UserGroupInformation ugi = authentication();try {return ugi.doAs(new XichuanGenerateConnectionAction(jdbcUrl, cloned));} catch (IOException | InterruptedException e) {e.printStackTrace();}return null;}else{return driver.connect(jdbcUrl, cloned);}}/*** generate connection action*/public class XichuanGenerateConnectionAction implements PrivilegedExceptionAction<Connection> {private String jdbcUrl;private Properties driverProperties;public XichuanGenerateConnectionAction(String jdbcUrl, Properties driverProperties){this.jdbcUrl = jdbcUrl;this.driverProperties = driverProperties;}@Overridepublic Connection run() throws Exception {return driver.connect(jdbcUrl, driverProperties);}}/*** kerberos authentication*/private UserGroupInformation authentication() {if(authenticationType != null && "kerberos".equalsIgnoreCase(authenticationType.trim())) {LOGGER.info("kerberos authentication is begin");} else {LOGGER.info("kerberos authentication is not open");return null;}System.setProperty("java.security.krb5.conf", krb5FilePath);org.apache.hadoop.conf.Configuration conf = new org.apache.hadoop.conf.Configuration();conf.set("hadoop.security.authentication", authenticationType);try {UserGroupInformation.setConfiguration(conf);UserGroupInformation userGroupInformation = UserGroupInformation.loginUserFromKeytabAndReturnUGI(principal, keytabPath);LOGGER.info("kerberos authentication success!, krb5FilePath:{}, principal:{}, keytab:{}", krb5FilePath, principal, keytabPath);LOGGER.info("login user::{}", userGroupInformation.getUserName());return userGroupInformation;} catch (IOException e1) {LOGGER.info("kerberos authentication fail!");LOGGER.error(e1.getMessage() + ", detail:{}", e1);}return null;}...
}

4. 对修改后的源码打包

1.maven一定要用HikariCP的对应版本的maven版本

HikariCP-4.0.3要求的maven版本是3.3.9，必须使用apache-maven-3.3.9才能打包

2.添加toolchains.xml文档

toolchains.xml文件的内容：

<?xml version="1.0" encoding="UTF-8"?>
<toolchains xmlns="http://maven.apache.org/TOOLCHAINS/1.1.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"xsi:schemaLocation="http://maven.apache.org/TOOLCHAINS/1.1.0 http://maven.apache.org/xsd/toolchains-1.1.0.xsd"><toolchain><type>jdk</type><provides><version>1.8</version><vendor>sun</vendor></provides><configuration><!--jdkHome是jdk的安装home路径--><jdkHome>D:\development tool\Java\jdk1.8.0_211</jdkHome></configuration></toolchain></toolchains>

将此文件放在apache-maven-3.3.9\conf目录中

如果打包的时候还是报缺失toolchains.xml文件，可以将此文件放到本地仓库的路径中，如下图：

3.进行package，然后在本地仓库中将HikariCP-4.0.3.jar替换即可

5.在springboot中使用hikari连接池并进行Kerberos认证

1. 在application.yml添加四个参数

# kerberos
# authenticationType:安全验证的类型,如果值是"kerberos"，则进行Kerberos认证，如果为null，则不进行认证
authentication.type=kerberos
# krb5FilePath:krb5.conf文件的路径
authentication.kerberos.krb5FilePath=D:\\development\\license_dll\\krb5.conf
# principal:principal的名称
authentication.kerberos.principal=xichuan/admin@XICHUAN.COM
# keytabPath:对应principal的keytab的路径
authentication.kerberos.keytabPath=D:\\development\\license_dll\\xichuan.keytab# datasource and pool
datasource.xichuan.url=jdbc:impala://node01:21050/;AuthMech=1;KrbRealm=XICHUAN.COM;KrbHostFQDN=node01;KrbServiceName=impala
datasource.xichuan.driver-class-name=com.cloudera.impala.jdbc41.Driver
datasource.xichuan.username=
datasource.xichuan.password=
datasource.xichuan.pool-name=xichuan-pool
datasource.xichuan.read-only=false
datasource.xichuan.auto-commit=true
datasource.xichuan.maximum-pool-size=3
#此值务必要小于Kerberos的过期时长(默认24小时)
datasource.xichuan.max-lifetime=35000
datasource.xichuan.idle-timeout=10000
datasource.xichuan.validation-timeout=5000

2.获取DataSourceProperties并封装成类

import org.springframework.boot.context.properties.ConfigurationProperties;
import org.springframework.stereotype.Component;/*** @Author Xichuan* @Date 2022/11/1 17:44* @Description*/
@Component
@ConfigurationProperties(prefix = "datasource.xichuan")
public class DataSourceProperties {private String url;private String driverClassName;private String username;private String password;private String poolName;private boolean readOnly;private boolean autoCommit;private int maximumPoolSize;private long maxLifetime;private long idleTimeout;private long validationTimeout;public String getPoolName() {return poolName;}public void setPoolName(String poolName) {this.poolName = poolName;}public boolean isReadOnly() {return readOnly;}public void setReadOnly(boolean readOnly) {this.readOnly = readOnly;}public boolean isAutoCommit() {return autoCommit;}public void setAutoCommit(boolean autoCommit) {this.autoCommit = autoCommit;}public int getMaximumPoolSize() {return maximumPoolSize;}public void setMaximumPoolSize(int maximumPoolSize) {this.maximumPoolSize = maximumPoolSize;}public long getMaxLifetime() {return maxLifetime;}public void setMaxLifetime(long maxLifetime) {this.maxLifetime = maxLifetime;}public long getIdleTimeout() {return idleTimeout;}public void setIdleTimeout(long idleTimeout) {this.idleTimeout = idleTimeout;}public long getValidationTimeout() {return validationTimeout;}public void setValidationTimeout(long validationTimeout) {this.validationTimeout = validationTimeout;}public String getUrl() {return url;}public void setUrl(String url) {this.url = url;}public String getDriverClassName() {return driverClassName;}public void setDriverClassName(String driverClassName) {this.driverClassName = driverClassName;}public String getUsername() {return username;}public void setUsername(String username) {this.username = username;}public String getPassword() {return password;}public void setPassword(String password) {this.password = password;}
}

3. 在配置文件中创建dataSource的bean

/*** @Author Xichuan* @Date 2022/11/1 15:15* @Description*/
@Configuration
public class DataSourceConfig {private Logger logger = LoggerFactory.getLogger(DataSourceConfig.class);@Value("${authentication.type}")private String authenticationType;@Value("${authentication.kerberos.krb5FilePath}")private String krb5FilePath;@Value("${authentication.kerberos.principal}")private String principal;@Value("${authentication.kerberos.keytabPath}")private String keytabPath;/*** inint datasource* @return*/@Beanpublic DataSource dataSource(DataSourceProperties dataSourceProperties) throws SQLException {HikariConfig config = new HikariConfig();//kerberos configconfig.setAuthenticationType(authenticationType);config.setKrb5FilePath(krb5FilePath);config.setPrincipal(principal);config.setKeytabPath(keytabPath);//jdbc and pool configconfig.setJdbcUrl(dataSourceProperties.getUrl());config.setDriverClassName(dataSourceProperties.getDriverClassName());config.setUsername(dataSourceProperties.getUsername());config.setPassword(dataSourceProperties.getPassword());config.setPoolName(dataSourceProperties.getPoolName());config.setReadOnly(dataSourceProperties.isReadOnly());config.setAutoCommit(dataSourceProperties.isAutoCommit());config.setMaximumPoolSize(dataSourceProperties.getMaximumPoolSize());//maxLifetime 池中连接最长生命周期config.setMaxLifetime(dataSourceProperties.getMaxLifetime());//等待来自池的连接的最大毫秒数 30000config.setIdleTimeout(dataSourceProperties.getIdleTimeout());//连接将被测试活动的最大时间量config.setValidationTimeout(dataSourceProperties.getValidationTimeout());HikariDataSource dataSource = new HikariDataSource(config);logger.info("init new dataSource: {}", dataSource);return dataSource;}
}

4.使用

此时使用与其他数据库连接池的使用方式没什么区别了

详细的Springboot使用hikari连接池并进行Kerberos认证访问Impala的demo地址：https://github.com/Raray-chuan/springboot-kerberos-hikari-impala