I think that folks have success with Hadoop Group Lookup Provider. Since most deployments that I talk to are leveraging something like SSSD or centrify to sync to OS accounts the Hadoop Group Lookup works well and is generally aligned with what is being done in the rest of the cluster.
This alignment is important when it comes down to troubleshooting things like this. That is all assuming that you need to do group lookup for authorization checks at the gateway. If you don't need authorization then you don't need group lookup and you can stick with default. On Wed, Dec 20, 2017 at 2:45 PM, Rick Kellogg <[email protected]> wrote: > Larry, > > Thanks for the tip. I was sort of reaching the same conclusion as well. > > Should I be using the default identity-assertion or something else like > Hadoop Group Lookup Provider? I know it depends but what have you had > success with in the past when using Kerberos. > > I will file a JIRA ticket on this as well. > > Thanks, > Rick Kellogg > > -----Original Message----- > From: larry mccay [mailto:[email protected]] > Sent: Wednesday, December 20, 2017 2:27 PM > To: [email protected] > Cc: Kellogg, Richard M. (CIV) <[email protected]> > Subject: Re: Kerberos - SubjectUtils > > I think that a fix to more gracefully handle this situation and help > diagnose the issue is definitely warranted. > The Subject should not be null at all though - so that is your underlying > issue. > > I think a null check and maybe an ERROR level log message that there seems > to be something wrong with authentication resulting in a null Subject at > identity assertion time. > > In terms of behavior changes, perhaps an IllegalStateException makes sense. > My inclination is to think this is a dev time or test env issue where this > would probably work. > Throw an IllegalStateException with a message indicating that the Subject > should have been established from authentication/federation and has not. > > Thank you for reporting it. > Please file a JIRA and attach a patch for the fix. > > > On Wed, Dec 20, 2017 at 12:18 PM, Rick Kellogg <[email protected]> > wrote: > > > Greetings, > > > > While debugging my Kerberos woes, I think I have identified an issue. > > I have enabled the default identity-assertion provider which uses > > CommonIdentityAssertionFilter. Within the doFilter method this calls > > evaluates the Subject: > > > > Subject subject = Subject.getSubject(AccessController.getContext()); > > > > In my case, the subject is null and subsequent call to determine the > > principalName cause a NullPointerException. > > > > Can/should we add a check for null after the line above? I just don't > > know the correct behavior. Do we throw another exception or simply set > > mappedPrincipalName and groups to null? > > > > Thoughts? > > Rick Kellogg > > > > > > > > > > > >
