shubham-goel99 opened a new issue, #5622: URL: https://github.com/apache/kyuubi/issues/5622
### Code of Conduct - [X] I agree to follow this project's [Code of Conduct](https://www.apache.org/foundation/policies/conduct) ### Search before asking - [X] I have searched in the [issues](https://github.com/apache/kyuubi/issues?q=is%3Aissue) and found no similar issues. ### Describe the bug I have encountered a bug in the Kyuubi server that is causing an undesired behavior. The Kyuubi server is kerberized, meaning that kerberos authentication is required when connecting to it, and as a result, there is a Service Principal Name (SPN) associated with it. The Kyuubi server is started by a user named 'A' and it has a Ticket-Granting Ticket (TGT) cache associated with it. Additionally, the Hive metastore is also kerberized, requiring the spark driver process to communicate with it using Kerberos authentication exclusively. The issue arises when the spark driver process is spawned/started by the Kyuubi server with the same properties/environment variable (KRB5CCNAME) as the Kyuubi server itself. Since the Kyuubi server periodically runs kinit, the TGT cache gets overwritten with the SPN principal name. As a result, the spark driver process ends up using the SPN principal to connect to the Hive metastore instead of the desired behavior of using the user A principal. Finally, Kyuubi engine throws an error while connecting to Hive metastore saying that no user exist (as Hive metastore is expecting A's principal name but instead it gets SPN) Here, Kyuubi acts both as a client and server and in these cases, there are two principals involved: one for the server side (acceptor - SPN) and one for when Kyuubi acts as a client (initiator). However, Kyuubi only supports one principal and forces its use on both sides. ### Affects Version(s) master ### Kyuubi Server Log Output _No response_ ### Kyuubi Engine Log Output _No response_ ### Kyuubi Server Configurations ```yaml hadoop.security.authentication kerberos kyuubi.authentication KERBEROS kyuubi.kinit.principal HTTP/[email protected] kyuubi.kinit.keytab <keytab location> hadoop.security.auth_to_local.mechanism MIT kyuubi.authentication.sasl.qop auth-conf kyuubi.frontend.ssl.keystore.password <SSL_PASSWORD> kyuubi.frontend.ssl.keystore.path <KEYSTORE_PATH> kyuubi.frontend.ssl.keystore.type JKS kyuubi.frontend.thrift.binary.ssl.enabled true ``` ### Kyuubi Engine Configurations ```yaml spark.sql.warehouse.dir <warehouse_dir_path> spark.worker.cleanup.enabled True spark.driver.defaultJavaOptions -Djava.security.debug=all -Djavax.security.auth.useSubjectCredsOnly=false -Dsun.security.jgss.debug=true -Dsun.security.krb5.debug=true -Dsun.security.jgss.native=true -Dsun.security.jgss.lib=/usr/libexec/libgsswrap.so spark.hadoop.javax.jdo.option.ConnectionURL jdbc:sqlserver://<server_name>;databaseName=<database_name>;authenticationScheme=JavaKerberos;trustStore=<truststore_path>;encrypt=false;integratedSecurity=true spark.hadoop.javax.jdo.option.ConnectionDriverName com.microsoft.sqlserver.jdbc.SQLServerDriver spark.sql.extensions io.delta.sql.DeltaSparkSessionExtension spark.sql.catalog.spark_catalog org.apache.spark.sql.delta.catalog.DeltaCatalog spark.sql.catalogImplementation hive spark.authenticate true spark.authenticate.secret <temp_secret> spark.network.crypto.enabled true spark.io.encryption.enabled true ``` ### Additional context _No response_ ### Are you willing to submit PR? - [ ] Yes. I would be willing to submit a PR with guidance from the Kyuubi community to fix. - [X] No. I cannot submit a PR at this time. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
