[PHOENIX-6908] KerberosName$NoMatchingRule exception in QueryServer.PhoenixRemoteUserExtractor - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Bug
Status: Resolved
Priority: Major
Resolution: Fixed
Affects Version/s: queryserver-6.0.1
Fix Version/s: queryserver-6.0.1
Component/s: queryserver
Labels:
None

Description

This seems to be the same issue that richardantal solved for the normal path in ~~PHOENIX-6750~~.

I am not totally convinced that Jetty stripping the realm is not a bug, but for now we can apply the same logic to strip the hostname as we do in the non-doAs path.

java.lang.IllegalArgumentException: Illegal principal name knox/cod--xunuzpwiiog4-gateway0.rt174-na.ummd-fsio.int.cldr.work: org.apache.hadoop.security.authentication.util.KerberosName$NoMatchingRule: No rules applied to knox/cod--xunuzpwiiog4-gateway0.rt174-na.ummd-fsio.int.cldr.work
	at org.apache.hadoop.security.User.<init>(User.java:51)
	at org.apache.hadoop.security.User.<init>(User.java:43)
	at org.apache.hadoop.security.UserGroupInformation.createRemoteUser(UserGroupInformation.java:1418)
	at org.apache.hadoop.security.UserGroupInformation.createRemoteUser(UserGroupInformation.java:1402)
	at org.apache.phoenix.queryserver.server.QueryServer$PhoenixRemoteUserExtractor.extract(QueryServer.java:554)
	at org.apache.calcite.avatica.server.AvaticaProtobufHandler.handle(AvaticaProtobufHandler.java:124)
	at org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:560)
...

Attachments

Issue Links

is caused by

PHOENIX-6750 Bump Avatica version to 1.21.0 in queryserver

Resolved

relates to

PHOENIX-6913 Follow up on Jetty/Hadoop kerberos principal hostname/realm issues

Open

links to

GitHub Pull Request #123

Activity

People

Assignee:: Istvan Toth

Reporter:: Istvan Toth

Votes:: 0 Vote for this issue

Watchers:: 2 Start watching this issue

Dates

Created:: 14/Mar/23 18:41

Updated:: 18/Mar/23 17:19

Resolved:: 18/Mar/23 17:19