Details
-
Bug
-
Status: Resolved
-
Major
-
Resolution: Fixed
-
Impala 1.3
-
None
-
None
Description
We should be using the short name of a Kerberos principal (e.g. user/fully.qualified.domain@realm.com) or LDAP username (e.g. user@domain) when checking group membership in RequestPoolService. Right now we call UserGroupInformation.createRemoteUser() with the full user name and it will throw an exception.
A code fix is preferable, but a workaround is to specify hadoop.security.auth_to_local rules in the core-site.xml, e.g.:
<property> <name>hadoop.security.auth_to_local</name> <value> RULE:[1:$1] DEFAULT </value> </property>