[
https://issues.apache.org/jira/browse/HIVE-13590?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15677292#comment-15677292
]
Ruslan Dautkhanov commented on HIVE-13590:
------------------------------------------
I got it now. Thanks for explaining. The key piece is "where LDAP and Kerberos
are two separate authentication systems". In our case they are the same (the
same Active Directory is used for both Kerberos and LDAP authentication).
Although it's totally possible when authentication backends behind Kerberos and
LDAP are separate. Then best solutions could be to either:
1) Make a switch if auth_to_local is used for LDAP or Kerberos, or both;
2) Make two separate mappings - one for Kerberoers (that could stay to be
auth_to_local), and introduce a new mapping auth_ldap_to_local (just to give
you an idea).
Thank you.
> Kerberized HS2 with LDAP auth enabled fails in multi-domain LDAP case
> ---------------------------------------------------------------------
>
> Key: HIVE-13590
> URL: https://issues.apache.org/jira/browse/HIVE-13590
> Project: Hive
> Issue Type: Bug
> Components: Authentication, Security
> Reporter: Chaoyu Tang
> Assignee: Chaoyu Tang
> Fix For: 2.2.0, 2.1.1
>
> Attachments: HIVE-13590.1.patch, HIVE-13590.1.patch,
> HIVE-13590.patch, HIVE-13590.patch
>
>
> In a kerberized HS2 with LDAP authentication enabled, LDAP user usually logs
> in using username in form of username@domain in LDAP multi-domain case. But
> it fails if the domain was not in the Hadoop auth_to_local mapping rule, the
> error is as following:
> {code}
> Caused by:
> org.apache.hadoop.security.authentication.util.KerberosName$NoMatchingRule:
> No rules applied to [email protected]
> at
> org.apache.hadoop.security.authentication.util.KerberosName.getShortName(KerberosName.java:389)
> at org.apache.hadoop.security.User.<init>(User.java:48)
> {code}
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
