[IMPALA-956] RequestPoolService should use short username of principal - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Bug
Status: Resolved
Priority: Major
Resolution: Fixed
Affects Version/s: Impala 1.3
Fix Version/s: Impala 1.3.1
Component/s: None
Labels:
None

Description

We should be using the short name of a Kerberos principal (e.g. user/fully.qualified.domain@realm.com) or LDAP username (e.g. user@domain) when checking group membership in RequestPoolService. Right now we call UserGroupInformation.createRemoteUser() with the full user name and it will throw an exception.

A code fix is preferable, but a workaround is to specify hadoop.security.auth_to_local rules in the core-site.xml, e.g.:

<property> 
<name>hadoop.security.auth_to_local</name> 
<value> 
RULE:[1:$1] 
DEFAULT 
</value> 
</property>

Attachments

Activity

People

Assignee:: Matthew Jacobs

Reporter:: Matthew Jacobs

Votes:: 0 Vote for this issue

Watchers:: 0 Start watching this issue

Dates

Created:: 18/Apr/14 23:55

Updated:: 22/Apr/14 21:01

Resolved:: 22/Apr/14 21:01