[HIVE-13590] Kerberized HS2 with LDAP auth enabled fails in multi-domain LDAP case - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Bug
Status: Closed
Priority: Major
Resolution: Fixed
Affects Version/s: None
Fix Version/s: 2.1.1, 2.2.0
Component/s: Authentication, Security
Labels:
None

Description

In a kerberized HS2 with LDAP authentication enabled, LDAP user usually logs in using username in form of username@domain in LDAP multi-domain case. But it fails if the domain was not in the Hadoop auth_to_local mapping rule, the error is as following:

Caused by: org.apache.hadoop.security.authentication.util.KerberosName$NoMatchingRule: No rules applied to ctang@mydomain.com
at org.apache.hadoop.security.authentication.util.KerberosName.getShortName(KerberosName.java:389)
at org.apache.hadoop.security.User.<init>(User.java:48)

Attachments

- Sort By Name
- Sort By Date
- Ascending
- Descending

HIVE-13590.1.patch
17/Jun/16 13:33
11 kB
Chaoyu Tang
HIVE-13590.1.patch
16/Jun/16 21:24
11 kB
Chaoyu Tang
HIVE-13590.patch
16/Jun/16 15:25
12 kB
Chaoyu Tang
HIVE-13590.patch
16/Jun/16 02:19
12 kB
Chaoyu Tang

Issue Links

is broken by

HIVE-12981 ThriftCLIService uses incompatible getShortName() implementation

Closed

HIVE-13401 Kerberized HS2 with LDAP auth enabled fails kerberos/delegation token authentication

Closed

is related to

HIVE-15174 Respect auth_to_local rules from hdfs configs (core-site.xml) for LDAP authentication too

Open

Activity

People

Assignee:: Chaoyu Tang

Reporter:: Chaoyu Tang

Votes:: 0 Vote for this issue

Watchers:: 10 Start watching this issue

Dates

Created:: 22/Apr/16 03:03

Updated:: 08/Dec/16 14:39

Resolved:: 21/Jun/16 00:44