JinHyuk Kim created HBASE-30042:
-----------------------------------
Summary: AuthUtil.loginClient fails when another Kerberos user is
already logged in
Key: HBASE-30042
URL: https://issues.apache.org/jira/browse/HBASE-30042
Project: HBase
Issue Type: Test
Components: test
Reporter: JinHyuk Kim
Assignee: JinHyuk Kim
h1. Problem
{{AuthUtil.loginClient(conf)}} may fail in test environments *when the JVM
already has Kerberos credentials from a different principal* (e.g., via
{{{}kinit{}}}).
In this case, the method may reuse the existing login user instead of using the
configured keytab and principal, leading to unexpected behavior.
For example, calling {{user.getShortName()}} may throw:
{code:java}
Caused by: java.lang.IllegalArgumentException: Illegal principal name
[email protected]:
org.apache.hadoop.security.authentication.util.KerberosName$NoMatchingRule: No
rules applied to [email protected] at
org.apache.hadoop.security.User.<init>(User.java:51) at
org.apache.hadoop.security.UserGroupInformation$HadoopLoginModule.commit(UserGroupInformation.java:225)
... 52 moreCaused by:
org.apache.hadoop.security.authentication.util.KerberosName$NoMatchingRule: No
rules applied to [email protected] at
org.apache.hadoop.security.authentication.util.KerberosName.getShortName(KerberosName.java:429)
at org.apache.hadoop.security.User.<init>(User.java:48) ... 53 more {code}
This typically occurs when the existing principal belongs to a different realm
than the test configuration (e.g., MiniKdc realm), and the default
{{auth_to_local}} rule does not apply.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
