[jira] [Updated] (PHOENIX-6908) KerberosName$NoMatchingRule exception in QueryServer.PhoenixRemoteUserExtractor

Tue, 14 Mar 2023 11:44:12 -0700 


     [ 
https://issues.apache.org/jira/browse/PHOENIX-6908?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Istvan Toth updated PHOENIX-6908:
---------------------------------
    Description: 
This seems to be the same issue that [~richardantal] solved for the normal path 
in PHOENIX-6750.

I am not totally convinced that Jetty stripping the realm is not a bug, but for 
now we can apply the same logic to strip the hostname as we do in the non-doAs 
path.
{noformat}
java.lang.IllegalArgumentException: Illegal principal name 
knox/cod--xunuzpwiiog4-gateway0.rt174-na.ummd-fsio.int.cldr.work: 
org.apache.hadoop.security.authentication.util.KerberosName$NoMatchingRule: No 
rules applied to 
knox/cod--xunuzpwiiog4-gateway0.rt174-na.ummd-fsio.int.cldr.work
        at org.apache.hadoop.security.User.<init>(User.java:51)
        at org.apache.hadoop.security.User.<init>(User.java:43)
        at 
org.apache.hadoop.security.UserGroupInformation.createRemoteUser(UserGroupInformation.java:1418)
        at 
org.apache.hadoop.security.UserGroupInformation.createRemoteUser(UserGroupInformation.java:1402)
        at 
org.apache.phoenix.queryserver.server.QueryServer$PhoenixRemoteUserExtractor.extract(QueryServer.java:554)
        at 
org.apache.calcite.avatica.server.AvaticaProtobufHandler.handle(AvaticaProtobufHandler.java:124)
        at 
org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:560)
...{noformat}

  was:
This seems to be the same issue that [~richardantal] solved for the normal path 
in PHOENIX-6750.

I am not totally convinced that Jetty stripping the realm is not a bug, but for 
now we can apply the same logic to strip the hostname as we do in the non-doAs 
path.
java.lang.IllegalArgumentException: Illegal principal name 
knox/cod--xunuzpwiiog4-gateway0.rt174-na.ummd-fsio.int.cldr.work: 
org.apache.hadoop.security.authentication.util.KerberosName$NoMatchingRule: No 
rules applied to 
knox/cod--xunuzpwiiog4-gateway0.rt174-na.ummd-fsio.int.cldr.work
        at org.apache.hadoop.security.User.<init>(User.java:51)
        at org.apache.hadoop.security.User.<init>(User.java:43)
        at 
org.apache.hadoop.security.UserGroupInformation.createRemoteUser(UserGroupInformation.java:1418)
        at 
org.apache.hadoop.security.UserGroupInformation.createRemoteUser(UserGroupInformation.java:1402)
        at 
org.apache.phoenix.queryserver.server.QueryServer$PhoenixRemoteUserExtractor.extract(QueryServer.java:554)
        at 
org.apache.calcite.avatica.server.AvaticaProtobufHandler.handle(AvaticaProtobufHandler.java:124)
        at 
org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:560)


> KerberosName$NoMatchingRule exception in 
> QueryServer.PhoenixRemoteUserExtractor
> -------------------------------------------------------------------------------
>
>                 Key: PHOENIX-6908
>                 URL: https://issues.apache.org/jira/browse/PHOENIX-6908
>             Project: Phoenix
>          Issue Type: Bug
>          Components: queryserver
>    Affects Versions: queryserver-6.0.1
>            Reporter: Istvan Toth
>            Assignee: Istvan Toth
>            Priority: Major
>
> This seems to be the same issue that [~richardantal] solved for the normal 
> path in PHOENIX-6750.
> I am not totally convinced that Jetty stripping the realm is not a bug, but 
> for now we can apply the same logic to strip the hostname as we do in the 
> non-doAs path.
> {noformat}
> java.lang.IllegalArgumentException: Illegal principal name 
> knox/cod--xunuzpwiiog4-gateway0.rt174-na.ummd-fsio.int.cldr.work: 
> org.apache.hadoop.security.authentication.util.KerberosName$NoMatchingRule: 
> No rules applied to 
> knox/cod--xunuzpwiiog4-gateway0.rt174-na.ummd-fsio.int.cldr.work
>       at org.apache.hadoop.security.User.<init>(User.java:51)
>       at org.apache.hadoop.security.User.<init>(User.java:43)
>       at 
> org.apache.hadoop.security.UserGroupInformation.createRemoteUser(UserGroupInformation.java:1418)
>       at 
> org.apache.hadoop.security.UserGroupInformation.createRemoteUser(UserGroupInformation.java:1402)
>       at 
> org.apache.phoenix.queryserver.server.QueryServer$PhoenixRemoteUserExtractor.extract(QueryServer.java:554)
>       at 
> org.apache.calcite.avatica.server.AvaticaProtobufHandler.handle(AvaticaProtobufHandler.java:124)
>       at 
> org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:560)
> ...{noformat}



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to