[
https://issues.apache.org/jira/browse/PHOENIX-6908?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17701336#comment-17701336
]
ASF GitHub Bot commented on PHOENIX-6908:
-----------------------------------------
stoty commented on code in PR #123:
URL:
https://github.com/apache/phoenix-queryserver/pull/123#discussion_r1139228724
##########
phoenix-queryserver/src/main/java/org/apache/phoenix/queryserver/server/QueryServer.java:
##########
@@ -633,6 +625,26 @@ SimpleLRUCache<String,UserGroupInformation> getCache() {
}
}
+ /**
+ * The new Jetty kerberos implementation that we use strips the realm from
the principal, which
+ * and Hadoop cannot process that.
+ * This strips the hostname part as well, so that only the username remains.
+
+ * @param remoteUserName the principal as received from Jetty
+ * @return the principal without the hostname part
+ */
+ //FIXME We are probably compensating for a Jetty a bug, which should really
be fixed in Jetty
+ private static String stripHostNameFromPrincipal(String remoteUserName) {
+ // realm got removed from remoteUserName in CALCITE-4152
+ // so we remove the instance name to avoid geting
KerberosName$NoMatchingRule exception
+ int atSignIndex = remoteUserName.indexOf('@');
+ int separatorIndex = remoteUserName.indexOf('/');
+ if (atSignIndex == -1 && separatorIndex > 0) {
+ remoteUserName = remoteUserName.substring(0, separatorIndex);
+ }
Review Comment:
The hadoop api can handle phoenix/[email protected] , It breaks on
phoenix/pqs.apache.org.
> KerberosName$NoMatchingRule exception in
> QueryServer.PhoenixRemoteUserExtractor
> -------------------------------------------------------------------------------
>
> Key: PHOENIX-6908
> URL: https://issues.apache.org/jira/browse/PHOENIX-6908
> Project: Phoenix
> Issue Type: Bug
> Components: queryserver
> Affects Versions: queryserver-6.0.1
> Reporter: Istvan Toth
> Assignee: Istvan Toth
> Priority: Major
>
> This seems to be the same issue that [~richardantal] solved for the normal
> path in PHOENIX-6750.
> I am not totally convinced that Jetty stripping the realm is not a bug, but
> for now we can apply the same logic to strip the hostname as we do in the
> non-doAs path.
> {noformat}
> java.lang.IllegalArgumentException: Illegal principal name
> knox/cod--xunuzpwiiog4-gateway0.rt174-na.ummd-fsio.int.cldr.work:
> org.apache.hadoop.security.authentication.util.KerberosName$NoMatchingRule:
> No rules applied to
> knox/cod--xunuzpwiiog4-gateway0.rt174-na.ummd-fsio.int.cldr.work
> at org.apache.hadoop.security.User.<init>(User.java:51)
> at org.apache.hadoop.security.User.<init>(User.java:43)
> at
> org.apache.hadoop.security.UserGroupInformation.createRemoteUser(UserGroupInformation.java:1418)
> at
> org.apache.hadoop.security.UserGroupInformation.createRemoteUser(UserGroupInformation.java:1402)
> at
> org.apache.phoenix.queryserver.server.QueryServer$PhoenixRemoteUserExtractor.extract(QueryServer.java:554)
> at
> org.apache.calcite.avatica.server.AvaticaProtobufHandler.handle(AvaticaProtobufHandler.java:124)
> at
> org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:560)
> ...{noformat}
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
