add 'validate' option to disable or enable hostname verification

impala/_thrift_api.py

@@ -20,14 +20,14 @@
 
 from __future__ import absolute_import
 
+import getpass
 import os
 import sys
+
 import six
-import getpass
 
 from impala.util import get_logger_and_init_null
 
-
 log = get_logger_and_init_null(__name__)
 
 
@@ -94,7 +94,7 @@
     ThriftClient = TClient
 
 
-def get_socket(host, port, use_ssl, ca_cert):
+def get_socket(host, port, use_ssl, ca_cert, ssl_verify_cert):
     # based on the Impala shell impl
     log.debug('get_socket: host=%s port=%s use_ssl=%s ca_cert=%s',
               host, port, use_ssl, ca_cert)
@@ -103,15 +103,15 @@ def get_socket(host, port, use_ssl, ca_cert):
         if six.PY2:
             from thrift.transport.TSSLSocket import TSSLSocket
             if ca_cert is None:
-                return TSSLSocket(host, port, validate=False)
+                return TSSLSocket(host, port, ssl_verify_cert=False)
             else:
-                return TSSLSocket(host, port, validate=True, ca_certs=ca_cert)
+                return TSSLSocket(host, port, ssl_verify_cert=ssl_verify_cert, ca_certs=ca_cert)
         else:
             from thriftpy.transport.sslsocket import TSSLSocket
             if ca_cert is None:
-                return TSSLSocket(host, port, validate=False)
+                return TSSLSocket(host, port, ssl_verify_cert=False)
             else:
-                return TSSLSocket(host, port, validate=True, cafile=ca_cert)
+                return TSSLSocket(host, port, ssl_verify_cert=ssl_verify_cert, cafile=ca_cert)
     else:
         return TSocket(host, port)
 

impala/dbapi.py

@@ -38,7 +38,8 @@
 
 
 def connect(host='localhost', port=21050, database=None, timeout=None,
-            use_ssl=False, ca_cert=None, auth_mechanism='NOSASL', user=None,
+            use_ssl=False, ca_cert=None, validate=True,
+            auth_mechanism='NOSASL', user=None,
             password=None, kerberos_service_name='impala', use_ldap=None,
             ldap_user=None, ldap_password=None, use_kerberos=None,
             protocol=None):
@@ -65,6 +66,8 @@ def connect(host='localhost', port=21050, database=None, timeout=None,
         Local path to the the third-party CA certificate. If SSL is enabled but
         the certificate is not specified, the server certificate will not be
         validated.
+    validate : bool, optional
+         hostname should be checked or not for SSL connection
     auth_mechanism : {'NOSASL', 'PLAIN', 'GSSAPI', 'LDAP'}
         Specify the authentication mechanism. `'NOSASL'` for unsecured Impala.
         `'PLAIN'` for unsecured Hive (because Hive requires the SASL
@@ -141,8 +144,8 @@ def connect(host='localhost', port=21050, database=None, timeout=None,
                 "supported".format(protocol))
 
     service = hs2.connect(host=host, port=port,
-                          timeout=timeout, use_ssl=use_ssl,
-                          ca_cert=ca_cert, user=user, password=password,
+                          timeout=timeout, use_ssl=use_ssl, ca_cert=ca_cert,
+                          validate=validate, user=user, password=password,
                           kerberos_service_name=kerberos_service_name,
                           auth_mechanism=auth_mechanism)
     return hs2.HiveServer2Connection(service, default_db=database)

impala/hiveserver2.py

@@ -736,12 +736,12 @@ def threaded(func):
     raise NotImplementedError
 
 
-def connect(host, port, timeout=None, use_ssl=False, ca_cert=None,
-            user=None, password=None, kerberos_service_name='impala',
+def connect(host, port, timeout=None, use_ssl=False, ca_cert=None, user=None,
+            validate=True, password=None, kerberos_service_name='impala',
             auth_mechanism=None):
     log.debug('Connecting to HiveServer2 %s:%s with %s authentication '
              'mechanism', host, port, auth_mechanism)
-    sock = get_socket(host, port, use_ssl, ca_cert)
+    sock = get_socket(host, port, use_ssl, ca_cert, validate)
     if timeout is not None:
         timeout = timeout * 1000.  # TSocket expects millis
     if six.PY2: