[
https://issues.apache.org/jira/browse/HIVE-15319?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16549088#comment-16549088
]
Zoltan Chovan commented on HIVE-15319:
--------------------------------------
By checking this with exporting HADOOP_OPTS="-Dsun.security.krb5.debug=true" it
seems that the server realm is coming from the domain_realm configuration
instead of the specified realm in the connection string.
The following connection fails:
{noformat}
beeline -u
"jdbc:hive2://my.hostname.com:10000/;principal=hive/[email protected]"{noformat}
The trace shows the following:
{noformat}
>>> Realm doInitialParse: cRealm=[USER.REALM],
>>> sRealm=[DUMMY.REALM.COM]{noformat}
Content of krb5.conf with intentionally incorrect realm set up:
{noformat}
[domain_realm]
.my.hostname.com = DUMMY.REALM.COM
my.hostname.com = DUMMY.REALM.COM{noformat}
Note: USER.REALM is coming from the ticket cache.
> Beeline is not validating Kerberos realm
> ----------------------------------------
>
> Key: HIVE-15319
> URL: https://issues.apache.org/jira/browse/HIVE-15319
> Project: Hive
> Issue Type: Bug
> Reporter: Matyas Orhidi
> Priority: Major
>
> Having "hive.server2.authentication.kerberos.principal" property set as
> "hive/[email protected]" [1] in HS2
> - When connecting to the service using beeline, seemingly the realm part of
> the service principal in the JDBC URL is not validated
> - You can connect to HS2 using any realm e.g.
> principal=hive/[email protected] [2]
> [1] <property>
> <name>hive.server2.authentication.kerberos.principal</name>
> <value>hive/[email protected]</value>
> </property>
> [2]
> 'jdbc:hive2://somehost:10000/default;principal=hive/[email protected]'
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
