[
https://issues.apache.org/jira/browse/HBASE-30042?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
JinHyuk Kim updated HBASE-30042:
--------------------------------
Description:
h1. Problem
{{AuthUtil.loginClient(conf)}} may fail in test environments *when the JVM
already has Kerberos credentials from a different principal* (e.g., via
{{{}kinit{}}}).
In this case, the method may reuse the existing login user instead of using the
configured keytab and principal, leading to unexpected behavior.
For example, calling {{user.getShortName()}} may throw:
{code:java}
Caused by: java.lang.IllegalArgumentException: Illegal principal name
[email protected]:
org.apache.hadoop.security.authentication.util.KerberosName$NoMatchingRule: No
rules applied to [email protected] at
org.apache.hadoop.security.User.<init>(User.java:51) at
org.apache.hadoop.security.UserGroupInformation$HadoopLoginModule.commit(UserGroupInformation.java:225)
... 52 moreCaused by:
org.apache.hadoop.security.authentication.util.KerberosName$NoMatchingRule: No
rules applied to [email protected] at
org.apache.hadoop.security.authentication.util.KerberosName.getShortName(KerberosName.java:429)
at org.apache.hadoop.security.User.<init>(User.java:48) ... 53 more {code}
This typically occurs when the existing principal belongs to a different realm
than the test configuration (e.g., MiniKdc realm), and the default
{{auth_to_local}} rule does not apply.
This issue is especially reproducible when running tests locally with existing
Kerberos credentials
was:
h1. Problem
{{AuthUtil.loginClient(conf)}} may fail in test environments *when the JVM
already has Kerberos credentials from a different principal* (e.g., via
{{{}kinit{}}}).
In this case, the method may reuse the existing login user instead of using the
configured keytab and principal, leading to unexpected behavior.
For example, calling {{user.getShortName()}} may throw:
{code:java}
Caused by: java.lang.IllegalArgumentException: Illegal principal name
[email protected]:
org.apache.hadoop.security.authentication.util.KerberosName$NoMatchingRule: No
rules applied to [email protected] at
org.apache.hadoop.security.User.<init>(User.java:51) at
org.apache.hadoop.security.UserGroupInformation$HadoopLoginModule.commit(UserGroupInformation.java:225)
... 52 moreCaused by:
org.apache.hadoop.security.authentication.util.KerberosName$NoMatchingRule: No
rules applied to [email protected] at
org.apache.hadoop.security.authentication.util.KerberosName.getShortName(KerberosName.java:429)
at org.apache.hadoop.security.User.<init>(User.java:48) ... 53 more {code}
This typically occurs when the existing principal belongs to a different realm
than the test configuration (e.g., MiniKdc realm), and the default
{{auth_to_local}} rule does not apply.
> AuthUtil.loginClient fails when another Kerberos user is already logged in
> --------------------------------------------------------------------------
>
> Key: HBASE-30042
> URL: https://issues.apache.org/jira/browse/HBASE-30042
> Project: HBase
> Issue Type: Test
> Components: test
> Reporter: JinHyuk Kim
> Assignee: JinHyuk Kim
> Priority: Minor
>
> h1. Problem
> {{AuthUtil.loginClient(conf)}} may fail in test environments *when the JVM
> already has Kerberos credentials from a different principal* (e.g., via
> {{{}kinit{}}}).
> In this case, the method may reuse the existing login user instead of using
> the configured keytab and principal, leading to unexpected behavior.
> For example, calling {{user.getShortName()}} may throw:
> {code:java}
> Caused by: java.lang.IllegalArgumentException: Illegal principal name
> [email protected]:
> org.apache.hadoop.security.authentication.util.KerberosName$NoMatchingRule:
> No rules applied to [email protected] at
> org.apache.hadoop.security.User.<init>(User.java:51) at
> org.apache.hadoop.security.UserGroupInformation$HadoopLoginModule.commit(UserGroupInformation.java:225)
> ... 52 moreCaused by:
> org.apache.hadoop.security.authentication.util.KerberosName$NoMatchingRule:
> No rules applied to [email protected] at
> org.apache.hadoop.security.authentication.util.KerberosName.getShortName(KerberosName.java:429)
> at org.apache.hadoop.security.User.<init>(User.java:48) ... 53 more {code}
> This typically occurs when the existing principal belongs to a different
> realm than the test configuration (e.g., MiniKdc realm), and the default
> {{auth_to_local}} rule does not apply.
> This issue is especially reproducible when running tests locally with
> existing Kerberos credentials
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
