[
https://issues.apache.org/jira/browse/SPARK-42947?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17755180#comment-17755180
]
Ignite TC Bot commented on SPARK-42947:
---------------------------------------
User 'liujiayi771' has created a pull request for this issue:
https://github.com/apache/spark/pull/40577
> Spark Thriftserver LDAP should not use DN pattern if user contains domain
> -------------------------------------------------------------------------
>
> Key: SPARK-42947
> URL: https://issues.apache.org/jira/browse/SPARK-42947
> Project: Spark
> Issue Type: Bug
> Components: SQL
> Affects Versions: 3.4.0
> Reporter: Jiayi Liu
> Priority: Major
>
> When the LDAP provider has domain configuration, such as Active Directory,
> the principal should not be constructed according to the DN pattern, but the
> username containing the domain should be directly passed to the LDAP provider
> as the principal. We can refer to the implementation of Hive LdapUtils.
> When the username contains a domain or domain passes from
> hive.server2.authentication.ldap.Domain configuration, if we construct the
> principal according to the DN pattern (For example,
> uid=user@domain,dc=test,dc=com), we will get the following error:
> {code:java}
> 23/03/28 11:01:48 ERROR TSaslTransport: SASL negotiation failure
> javax.security.sasl.SaslException: Error validating the login
> at
> org.apache.hive.service.auth.PlainSaslServer.evaluateResponse(PlainSaslServer.java:108)
> ~[spark-hive-thriftserver_2.12-3.3.1.jar:3.3.1]
> at
> org.apache.thrift.transport.TSaslTransport$SaslParticipant.evaluateChallengeOrResponse(TSaslTransport.java:537)
> ~[libthrift-0.12.0.jar:0.12.0]
> at
> org.apache.thrift.transport.TSaslTransport.open(TSaslTransport.java:283)
> ~[libthrift-0.12.0.jar:0.12.0]
> at
> org.apache.thrift.transport.TSaslServerTransport.open(TSaslServerTransport.java:43)
> ~[libthrift-0.12.0.jar:0.12.0]
> at
> org.apache.thrift.transport.TSaslServerTransport$Factory.getTransport(TSaslServerTransport.java:223)
> ~[libthrift-0.12.0.jar:0.12.0]
> at
> org.apache.thrift.server.TThreadPoolServer$WorkerProcess.run(TThreadPoolServer.java:293)
> ~[libthrift-0.12.0.jar:0.12.0]
> at
> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
> ~[?:1.8.0_352]
> at
> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
> ~[?:1.8.0_352]
> at java.lang.Thread.run(Thread.java:750) ~[?:1.8.0_352]
> Caused by: javax.security.sasl.AuthenticationException: Error validating LDAP
> user
> at
> org.apache.hive.service.auth.LdapAuthenticationProviderImpl.Authenticate(LdapAuthenticationProviderImpl.java:76)
> ~[spark-hive-thriftserver_2.12-3.3.1.jar:3.3.1]
> at
> org.apache.hive.service.auth.PlainSaslHelper$PlainServerCallbackHandler.handle(PlainSaslHelper.java:105)
> ~[spark-hive-thriftserver_2.12-3.3.1.jar:3.3.1]
> at
> org.apache.hive.service.auth.PlainSaslServer.evaluateResponse(PlainSaslServer.java:101)
> ~[spark-hive-thriftserver_2.12-3.3.1.jar:3.3.1]
> ... 8 more
> Caused by: javax.naming.AuthenticationException: [LDAP: error code 49 -
> 80090308: LdapErr: DSID-0C0903D9, comment: AcceptSecurityContext error, data
> 52e, v2580]
> at com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:3261)
> ~[?:1.8.0_352]
> at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:3207)
> ~[?:1.8.0_352]
> at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2993)
> ~[?:1.8.0_352]
> at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2907) ~[?:1.8.0_352]
> at com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:347) ~[?:1.8.0_352]
> at
> com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxFromUrl(LdapCtxFactory.java:229)
> ~[?:1.8.0_352]
> at
> com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:189)
> ~[?:1.8.0_352]
> at
> com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(LdapCtxFactory.java:247)
> ~[?:1.8.0_352]
> at
> com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(LdapCtxFactory.java:154)
> ~[?:1.8.0_352]
> at
> com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactory.java:84)
> ~[?:1.8.0_352]
> at
> javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:695)
> ~[?:1.8.0_352]
> at
> javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:313)
> ~[?:1.8.0_352]
> at javax.naming.InitialContext.init(InitialContext.java:244)
> ~[?:1.8.0_352]
> at javax.naming.InitialContext.<init>(InitialContext.java:216)
> ~[?:1.8.0_352]
> at
> javax.naming.directory.InitialDirContext.<init>(InitialDirContext.java:101)
> ~[?:1.8.0_352]
> at
> org.apache.hive.service.auth.LdapAuthenticationProviderImpl.Authenticate(LdapAuthenticationProviderImpl.java:73)
> ~[spark-hive-thriftserver_2.12-3.3.1.jar:3.3.1]
> at
> org.apache.hive.service.auth.PlainSaslHelper$PlainServerCallbackHandler.handle(PlainSaslHelper.java:105)
> ~[spark-hive-thriftserver_2.12-3.3.1.jar:3.3.1]
> at
> org.apache.hive.service.auth.PlainSaslServer.evaluateResponse(PlainSaslServer.java:101)
> ~[spark-hive-thriftserver_2.12-3.3.1.jar:3.3.1]
> ... 8 more
> {code}
> we should pass user@domain directly to the LDAP provider, just like
> HiveServer did.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
