Re: [PR] Update the mapping between principal and username [gravitino]

[via GitHub]

jerqi commented on PR #9112:
URL: https://github.com/apache/gravitino/pull/9112#issuecomment-3531103504

   > In our KDC, tenant principals are all in the format test/test@realm. 
According to Hadoop's auth_to_local ' 
RULE:[2:$1@$0](.*@.*)s/@._//,RULE:[1:$1@$0](.*@.*)s/@._//,DEFAULT ', this will 
be mapped to "test," and the user in ranger/ldap is also "test." When we use 
this type of principal with Gravitino-spark-connector, we encounter an error as 
shown in the image above.
   
   Got it . 
   Currently, we need to got the client principal for the HiveClient, you can 
see the code
   ```
    @Override
     public Object doAs(
         Principal principal, Executable<Object, Exception> action, Map<String, 
String> properties)
         throws Throwable {
       try {
         UserGroupInformation proxyUser;
   
         if (UserGroupInformation.isSecurityEnabled() && ops != null) {
   
           // The Gravitino server may use multiple KDC servers.
           // The http authentication use one KDC server, the Hive catalog may 
use another KDC server.
           // The KerberosAuthenticator will remove realm of principal.
           // And then we add the realm of Hive catalog to the user.
           final String finalPrincipalName;
           String proxyKerberosPrincipalName = principal.getName();
           if (!proxyKerberosPrincipalName.contains("@")) {
             finalPrincipalName =
                 String.format("%s@%s", proxyKerberosPrincipalName, 
ops.getKerberosRealm());
           } else {
             finalPrincipalName = proxyKerberosPrincipalName;
           }
   
           proxyUser = UserGroupInformation.createProxyUser(finalPrincipalName, 
realUser);
   
           String token =
               ops.getClientPool()
                   .run(
                       client -> {
                         return client.getDelegationToken(finalPrincipalName, 
realUser.getUserName());
                       });
   
           Token<DelegationTokenIdentifier> delegationToken = new 
Token<DelegationTokenIdentifier>();
           delegationToken.decodeFromUrlString(token);
           delegationToken.setService(
               new 
Text(ops.getHiveConf().getVar(HiveConf.ConfVars.METASTORE_TOKEN_SIGNATURE)));
   
           proxyUser.addToken(delegationToken);
         } else {
   
           proxyUser = 
UserGroupInformation.createProxyUser(principal.getName(), realUser);
         }
   ```
   The principal should be consistent with the client.
   
   Maybe you should add a KerberosPrincipal
   ```
   class KerberosPrincipal {
       String username();
       Optional<String> instanceName();
   }
   ```
   So we can get the correct client principal in the HiveProxyPlugin. And you 
get the correct user name in our system, too.
   
   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscr...@gravitino.apache.org

For queries about this service, please contact Infrastructure at:
us...@infra.apache.org