[I] [Bug report] use catalog and show databases failed with krb cluster [gravitino]

via GitHub Fri, 28 Mar 2025 03:00:31 -0700


granewang opened a new issue, #6777:
URL: https://github.com/apache/gravitino/issues/6777


   ### Version
   
   main branch
   
   ### Describe what's wrong
   
   After running kinit with a keytab, executing the spark-sql command with the 
following configurations: spark-sql  -v --conf 
spark.plugins="org.apache.gravitino.spark.connector.plugin.GravitinoSparkPlugin"
 --conf spark.sql.gravitino.uri=http://xx.xx.xx.xx:8090 --conf 
spark.sql.gravitino.metalake=nameOfmetalake --conf 
spark.sql.gravitino.enableIcebergSupport=true --conf 
spark.sql.warehouse.dir=xxxxx --conf spark.sql.gravitino.authType=kerberos 
   And then execute:
   use hive_catalog3;  (shoud be created before this step)
   show databases;
    error occured:
   
   
![Image](https://github.com/user-attachments/assets/f7531b2c-8683-4fa7-bfb7-8bffe10c67b6)
   
   HMS logs:
   2025-03-28T11:50:02,729  INFO [pool-6-thread-154] HiveMetaStore.audit: 
ugi=hive/[email protected]     ip=10xxxx   cmd=get_delegation_token        
   2025-03-28T11:50:02,886 ERROR [pool-6-thread-154] 
metastore.RetryingHMSHandler: 
MetaException(message:java.lang.IllegalArgumentException: Illegal principal 
name hdfs/xxxxocal: 
org.apache.hadoop.security.authentication.util.KerberosName$NoMatchingRule: No 
rules applied to hdfs/xxxxocal)
           at 
org.apache.hadoop.hive.metastore.HiveMetaStore$HMSHandler.newMetaException(HiveMetaStore.java:7054)
           at 
org.apache.hadoop.hive.metastore.HiveMetaStore$HMSHandler.get_delegation_token(HiveMetaStore.java:6764)
           at sun.reflect.GeneratedMethodAccessor204.invoke(Unknown Source)
           at 
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
           at java.lang.reflect.Method.invoke(Method.java:498)
           at 
org.apache.hadoop.hive.metastore.RetryingHMSHandler.invokeInternal(RetryingHMSHandler.java:147)
           at 
org.apache.hadoop.hive.metastore.RetryingHMSHandler.invoke(RetryingHMSHandler.java:108)
           at com.sun.proxy.$Proxy27.get_delegation_token(Unknown Source)
           at 
org.apache.hadoop.hive.metastore.api.ThriftHiveMetastore$Processor$get_delegation_token.getResult(ThriftHiveMetastore.java:18284)
           at 
org.apache.hadoop.hive.metastore.api.ThriftHiveMetastore$Processor$get_delegation_token.getResult(ThriftHiveMetastore.java:18263)
           at org.apache.thrift.ProcessFunction.process(ProcessFunction.java:38)
           at org.apache.thrift.TBaseProcessor.process(TBaseProcessor.java:38)
           at 
org.apache.hadoop.hive.metastore.security.HadoopThriftAuthBridge$Server$TUGIAssumingProcessor$1.run(HadoopThriftAuthBridge.java:637)
           at 
org.apache.hadoop.hive.metastore.security.HadoopThriftAuthBridge$Server$TUGIAssumingProcessor$1.run(HadoopThriftAuthBridge.java:632)
           at java.security.AccessController.doPrivileged(Native Method)
           at javax.security.auth.Subject.doAs(Subject.java:422)
           at 
org.apache.hadoop.security.UserGroupInformation.doAs(UserGroupInformation.java:1878)
           at 
org.apache.hadoop.hive.metastore.security.HadoopThriftAuthBridge$Server$TUGIAssumingProcessor.process(HadoopThriftAuthBridge.java:632)
           at 
org.apache.thrift.server.TThreadPoolServer$WorkerProcess.run(TThreadPoolServer.java:313)
           at 
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
           at 
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
           at java.lang.Thread.run(Thread.java:750)
   Caused by: java.lang.IllegalArgumentException: Illegal principal name 
hdfs/xxxxxcal: 
org.apache.hadoop.security.authentication.util.KerberosName$NoMatchingRule: No 
rules applied to hdfs/xxxxxal
           at org.apache.hadoop.security.User.<init>(User.java:51)
           at org.apache.hadoop.security.User.<init>(User.java:43)
           at 
org.apache.hadoop.security.UserGroupInformation.createRemoteUser(UserGroupInformation.java:1418)
           at 
org.apache.hadoop.security.UserGroupInformation.createRemoteUser(UserGroupInformation.java:1402)
           at 
org.apache.hadoop.hive.metastore.security.MetastoreDelegationTokenManager.getDelegationToken(MetastoreDelegationTokenManager.java:94)
           at 
org.apache.hadoop.hive.metastore.HiveMetaStore.getDelegationToken(HiveMetaStore.java:8818)
           at 
org.apache.hadoop.hive.metastore.HiveMetaStore$HMSHandler.get_delegation_token(HiveMetaStore.java:6757)
           ... 20 more
   Caused by: 
org.apache.hadoop.security.authentication.util.KerberosName$NoMatchingRule: No 
rules applied to hdfs/xxxxocal
           at 
org.apache.hadoop.security.authentication.util.KerberosName.getShortName(KerberosName.java:429)
           at org.apache.hadoop.security.User.<init>(User.java:48)
           ... 26 more
   
   ### Error message and/or stacktrace
   
   
![Image](https://github.com/user-attachments/assets/f6b05ca8-364d-4469-83f4-e67547ea67ba)
   
   
   ### How to reproduce
   
   gravitino configured with kerberos, kerberos with spark and hive cluster:
    spark-sql  -v --conf 
spark.plugins="org.apache.gravitino.spark.connector.plugin.GravitinoSparkPlugin"
 --conf spark.sql.gravitino.uri=http://xx.xx.xx.xx:8090 --conf 
spark.sql.gravitino.metalake=nameOfmetalake --conf 
spark.sql.gravitino.enableIcebergSupport=true --conf 
spark.sql.warehouse.dir=xxxxx --conf spark.sql.gravitino.authType=kerberos 
   And then execute:
   use hive_catalog3;  (shoud be created before this step)
   show databases;
   
   ### Additional context
   
   _No response_


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

[I] [Bug report] use catalog and show databases failed with krb cluster [gravitino]

Reply via email to