[jira] [Updated] (HBASE-30042) AuthUtil.loginClient fails when another Kerberos user is already logged in
[
https://issues.apache.org/jira/browse/HBASE-30042?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Junegunn Choi updated HBASE-30042:
--
Fix Version/s: 2.7.0
(was: 4.0.0-alpha-1)
> AuthUtil.loginClient fails when another Kerberos user is already logged in
> --
>
> Key: HBASE-30042
> URL: https://issues.apache.org/jira/browse/HBASE-30042
> Project: HBase
> Issue Type: Test
> Components: test
>Reporter: JinHyuk Kim
>Assignee: JinHyuk Kim
>Priority: Minor
> Labels: pull-request-available
> Fix For: 2.7.0, 3.0.0-beta-2, 2.5.15, 2.6.6
>
>
> h1. Problem
> {{AuthUtil.loginClient(conf)}} may fail in test environments *when the JVM
> already has Kerberos credentials from a different principal* (e.g., via
> {{{}kinit{}}}).
> In this case, the method may reuse the existing login user instead of using
> the configured keytab and principal, leading to unexpected behavior.
> For example, calling {{user.getShortName()}} may throw:
> {code:java}
> Caused by: java.lang.IllegalArgumentException: Illegal principal name
> [email protected]:
> org.apache.hadoop.security.authentication.util.KerberosName$NoMatchingRule:
> No rules applied to [email protected] at
> org.apache.hadoop.security.User.(User.java:51) at
> org.apache.hadoop.security.UserGroupInformation$HadoopLoginModule.commit(UserGroupInformation.java:225)
> ... 52 moreCaused by:
> org.apache.hadoop.security.authentication.util.KerberosName$NoMatchingRule:
> No rules applied to [email protected] at
> org.apache.hadoop.security.authentication.util.KerberosName.getShortName(KerberosName.java:429)
> at org.apache.hadoop.security.User.(User.java:48) ... 53 more {code}
> This typically occurs when the existing principal belongs to a different
> realm than the test configuration (e.g., MiniKdc realm), and the default
> {{auth_to_local}} rule does not apply.
> This issue is especially reproducible when running tests locally with
> existing Kerberos credentials
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
[jira] [Updated] (HBASE-30042) AuthUtil.loginClient fails when another Kerberos user is already logged in
[
https://issues.apache.org/jira/browse/HBASE-30042?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Junegunn Choi updated HBASE-30042:
--
Fix Version/s: 4.0.0-alpha-1
3.0.0-beta-2
2.5.15
2.6.6
> AuthUtil.loginClient fails when another Kerberos user is already logged in
> --
>
> Key: HBASE-30042
> URL: https://issues.apache.org/jira/browse/HBASE-30042
> Project: HBase
> Issue Type: Test
> Components: test
>Reporter: JinHyuk Kim
>Assignee: JinHyuk Kim
>Priority: Minor
> Labels: pull-request-available
> Fix For: 4.0.0-alpha-1, 3.0.0-beta-2, 2.5.15, 2.6.6
>
>
> h1. Problem
> {{AuthUtil.loginClient(conf)}} may fail in test environments *when the JVM
> already has Kerberos credentials from a different principal* (e.g., via
> {{{}kinit{}}}).
> In this case, the method may reuse the existing login user instead of using
> the configured keytab and principal, leading to unexpected behavior.
> For example, calling {{user.getShortName()}} may throw:
> {code:java}
> Caused by: java.lang.IllegalArgumentException: Illegal principal name
> [email protected]:
> org.apache.hadoop.security.authentication.util.KerberosName$NoMatchingRule:
> No rules applied to [email protected] at
> org.apache.hadoop.security.User.(User.java:51) at
> org.apache.hadoop.security.UserGroupInformation$HadoopLoginModule.commit(UserGroupInformation.java:225)
> ... 52 moreCaused by:
> org.apache.hadoop.security.authentication.util.KerberosName$NoMatchingRule:
> No rules applied to [email protected] at
> org.apache.hadoop.security.authentication.util.KerberosName.getShortName(KerberosName.java:429)
> at org.apache.hadoop.security.User.(User.java:48) ... 53 more {code}
> This typically occurs when the existing principal belongs to a different
> realm than the test configuration (e.g., MiniKdc realm), and the default
> {{auth_to_local}} rule does not apply.
> This issue is especially reproducible when running tests locally with
> existing Kerberos credentials
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
[jira] [Updated] (HBASE-30042) AuthUtil.loginClient fails when another Kerberos user is already logged in
[
https://issues.apache.org/jira/browse/HBASE-30042?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
ASF GitHub Bot updated HBASE-30042:
---
Labels: pull-request-available (was: )
> AuthUtil.loginClient fails when another Kerberos user is already logged in
> --
>
> Key: HBASE-30042
> URL: https://issues.apache.org/jira/browse/HBASE-30042
> Project: HBase
> Issue Type: Test
> Components: test
>Reporter: JinHyuk Kim
>Assignee: JinHyuk Kim
>Priority: Minor
> Labels: pull-request-available
>
> h1. Problem
> {{AuthUtil.loginClient(conf)}} may fail in test environments *when the JVM
> already has Kerberos credentials from a different principal* (e.g., via
> {{{}kinit{}}}).
> In this case, the method may reuse the existing login user instead of using
> the configured keytab and principal, leading to unexpected behavior.
> For example, calling {{user.getShortName()}} may throw:
> {code:java}
> Caused by: java.lang.IllegalArgumentException: Illegal principal name
> [email protected]:
> org.apache.hadoop.security.authentication.util.KerberosName$NoMatchingRule:
> No rules applied to [email protected] at
> org.apache.hadoop.security.User.(User.java:51) at
> org.apache.hadoop.security.UserGroupInformation$HadoopLoginModule.commit(UserGroupInformation.java:225)
> ... 52 moreCaused by:
> org.apache.hadoop.security.authentication.util.KerberosName$NoMatchingRule:
> No rules applied to [email protected] at
> org.apache.hadoop.security.authentication.util.KerberosName.getShortName(KerberosName.java:429)
> at org.apache.hadoop.security.User.(User.java:48) ... 53 more {code}
> This typically occurs when the existing principal belongs to a different
> realm than the test configuration (e.g., MiniKdc realm), and the default
> {{auth_to_local}} rule does not apply.
> This issue is especially reproducible when running tests locally with
> existing Kerberos credentials
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
[jira] [Updated] (HBASE-30042) AuthUtil.loginClient fails when another Kerberos user is already logged in
[
https://issues.apache.org/jira/browse/HBASE-30042?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
JinHyuk Kim updated HBASE-30042:
Description:
h1. Problem
{{AuthUtil.loginClient(conf)}} may fail in test environments *when the JVM
already has Kerberos credentials from a different principal* (e.g., via
{{{}kinit{}}}).
In this case, the method may reuse the existing login user instead of using the
configured keytab and principal, leading to unexpected behavior.
For example, calling {{user.getShortName()}} may throw:
{code:java}
Caused by: java.lang.IllegalArgumentException: Illegal principal name
[email protected]:
org.apache.hadoop.security.authentication.util.KerberosName$NoMatchingRule: No
rules applied to [email protected] at
org.apache.hadoop.security.User.(User.java:51)at
org.apache.hadoop.security.UserGroupInformation$HadoopLoginModule.commit(UserGroupInformation.java:225)
... 52 moreCaused by:
org.apache.hadoop.security.authentication.util.KerberosName$NoMatchingRule: No
rules applied to [email protected] at
org.apache.hadoop.security.authentication.util.KerberosName.getShortName(KerberosName.java:429)
at org.apache.hadoop.security.User.(User.java:48) ... 53 more {code}
This typically occurs when the existing principal belongs to a different realm
than the test configuration (e.g., MiniKdc realm), and the default
{{auth_to_local}} rule does not apply.
This issue is especially reproducible when running tests locally with existing
Kerberos credentials
was:
h1. Problem
{{AuthUtil.loginClient(conf)}} may fail in test environments *when the JVM
already has Kerberos credentials from a different principal* (e.g., via
{{{}kinit{}}}).
In this case, the method may reuse the existing login user instead of using the
configured keytab and principal, leading to unexpected behavior.
For example, calling {{user.getShortName()}} may throw:
{code:java}
Caused by: java.lang.IllegalArgumentException: Illegal principal name
[email protected]:
org.apache.hadoop.security.authentication.util.KerberosName$NoMatchingRule: No
rules applied to [email protected] at
org.apache.hadoop.security.User.(User.java:51)at
org.apache.hadoop.security.UserGroupInformation$HadoopLoginModule.commit(UserGroupInformation.java:225)
... 52 moreCaused by:
org.apache.hadoop.security.authentication.util.KerberosName$NoMatchingRule: No
rules applied to [email protected] at
org.apache.hadoop.security.authentication.util.KerberosName.getShortName(KerberosName.java:429)
at org.apache.hadoop.security.User.(User.java:48) ... 53 more {code}
This typically occurs when the existing principal belongs to a different realm
than the test configuration (e.g., MiniKdc realm), and the default
{{auth_to_local}} rule does not apply.
> AuthUtil.loginClient fails when another Kerberos user is already logged in
> --
>
> Key: HBASE-30042
> URL: https://issues.apache.org/jira/browse/HBASE-30042
> Project: HBase
> Issue Type: Test
> Components: test
>Reporter: JinHyuk Kim
>Assignee: JinHyuk Kim
>Priority: Minor
>
> h1. Problem
> {{AuthUtil.loginClient(conf)}} may fail in test environments *when the JVM
> already has Kerberos credentials from a different principal* (e.g., via
> {{{}kinit{}}}).
> In this case, the method may reuse the existing login user instead of using
> the configured keytab and principal, leading to unexpected behavior.
> For example, calling {{user.getShortName()}} may throw:
> {code:java}
> Caused by: java.lang.IllegalArgumentException: Illegal principal name
> [email protected]:
> org.apache.hadoop.security.authentication.util.KerberosName$NoMatchingRule:
> No rules applied to [email protected] at
> org.apache.hadoop.security.User.(User.java:51) at
> org.apache.hadoop.security.UserGroupInformation$HadoopLoginModule.commit(UserGroupInformation.java:225)
> ... 52 moreCaused by:
> org.apache.hadoop.security.authentication.util.KerberosName$NoMatchingRule:
> No rules applied to [email protected] at
> org.apache.hadoop.security.authentication.util.KerberosName.getShortName(KerberosName.java:429)
> at org.apache.hadoop.security.User.(User.java:48) ... 53 more {code}
> This typically occurs when the existing principal belongs to a different
> realm than the test configuration (e.g., MiniKdc realm), and the default
> {{auth_to_local}} rule does not apply.
> This issue is especially reproducible when running tests locally with
> existing Kerberos credentials
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
