granewang commented on code in PR #6778:
URL: https://github.com/apache/gravitino/pull/6778#discussion_r2020801093
##########
server-common/src/main/java/org/apache/gravitino/server/authentication/KerberosAuthenticator.java:
##########
@@ -170,14 +168,15 @@ private Principal retrievePrincipalFromToken(String
serverPrincipal, byte[] clie
throw new UnauthorizedException("GssContext isn't established",
challenge);
}
- // Usually principal names are in the form 'user/instance@REALM' or
'user@REALM'.
- List<String> principalComponents =
- Splitter.on('@').splitToList(gssContext.getSrcName().toString());
- if (principalComponents.size() != 2) {
- throw new UnauthorizedException("Principal has wrong format",
AuthConstants.NEGOTIATE);
- }
-
- String user = principalComponents.get(0);
+ // Valid Kerberos principal formats (both require realm suffix):
+ // 1. User principal with instance: 'username/instance@REALM' (e.g.
'user1/[email protected]')
+ // 2. Basic user principal: 'username@REALM' (e.g. '[email protected]')
+ //
+ // HMS Compatibility Notice:
+ // 1. Realm-less with instance format (e.g. 'username/instance') will be
rejected by HMS
Review Comment:
> We won't give Hive HMS `username/instance` if we use origin logic. Maybe
we should use another solution. You can see HiveProxyPlugin#69Line.
This is indeed a fairly good solution. I've modified the code.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
