You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@phoenix.apache.org by "Istvan Toth (Jira)" <ji...@apache.org> on 2023/03/14 18:42:00 UTC

[jira] [Created] (PHOENIX-6908) KerberosName$NoMatchingRule exception in QueryServer.PhoenixRemoteUserExtractor

Istvan Toth created PHOENIX-6908:
------------------------------------

             Summary: KerberosName$NoMatchingRule exception in QueryServer.PhoenixRemoteUserExtractor
                 Key: PHOENIX-6908
                 URL: https://issues.apache.org/jira/browse/PHOENIX-6908
             Project: Phoenix
          Issue Type: Bug
            Reporter: Istvan Toth
            Assignee: Istvan Toth


This seems to be the same issue that [~richardantal] solved for the normal path in PHOENIX-6750.

I am not totally convinced that Jetty stripping the realm is not a bug, but for now we can apply the same logic to strip the hostname as we do in the non-doAs path.
java.lang.IllegalArgumentException: Illegal principal name knox/cod--xunuzpwiiog4-gateway0.rt174-na.ummd-fsio.int.cldr.work: org.apache.hadoop.security.authentication.util.KerberosName$NoMatchingRule: No rules applied to knox/cod--xunuzpwiiog4-gateway0.rt174-na.ummd-fsio.int.cldr.work
	at org.apache.hadoop.security.User.<init>(User.java:51)
	at org.apache.hadoop.security.User.<init>(User.java:43)
	at org.apache.hadoop.security.UserGroupInformation.createRemoteUser(UserGroupInformation.java:1418)
	at org.apache.hadoop.security.UserGroupInformation.createRemoteUser(UserGroupInformation.java:1402)
	at org.apache.phoenix.queryserver.server.QueryServer$PhoenixRemoteUserExtractor.extract(QueryServer.java:554)
	at org.apache.calcite.avatica.server.AvaticaProtobufHandler.handle(AvaticaProtobufHandler.java:124)
	at org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:560)



--
This message was sent by Atlassian Jira
(v8.20.10#820010)