[ https://issues.apache.org/jira/browse/SPARK-39396?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17550772#comment-17550772 ]
weiliang hao commented on SPARK-39396: -------------------------------------- When a user with DN (cn=user, ou=people, dc=example, dc=com) logs in, it will fail because the DN generated in the class org.apache.hive.service.auth.LdapAuthenticationProviderImpl#Authenticate() is (uid=user, ou=people, dc=example, dc=com) > Spark Thriftserver enabled LDAP,Error using beeline connection: error code 49 > - invalid credentials > --------------------------------------------------------------------------------------------------- > > Key: SPARK-39396 > URL: https://issues.apache.org/jira/browse/SPARK-39396 > Project: Spark > Issue Type: Bug > Components: SQL > Affects Versions: 2.4.8 > Reporter: weiliang hao > Priority: Major > > Spark Thriftserver enabled LDAP,and report an error when logging in with LDAP > user through beeline connection: > {code:java} > 22/06/06 17:45:29 ERROR transport.TSaslTransport: SASL negotiation failure > javax.security.sasl.SaslException: Error validating the login [Caused by > javax.security.sasl.AuthenticationException: Error validating LDAP user > [Caused by javax.naming.AuthenticationException: [LDAP: error code 49 - > Invalid Credentials]]] > at > org.apache.hive.service.auth.PlainSaslServer.evaluateResponse(PlainSaslServer.java:109) > at > org.apache.thrift.transport.TSaslTransport$SaslParticipant.evaluateChallengeOrResponse(TSaslTransport.java:539) > at > org.apache.thrift.transport.TSaslTransport.open(TSaslTransport.java:283) > at > org.apache.thrift.transport.TSaslServerTransport.open(TSaslServerTransport.java:41) > at > org.apache.thrift.transport.TSaslServerTransport$Factory.getTransport(TSaslServerTransport.java:216) > at > org.apache.thrift.server.TThreadPoolServer$WorkerProcess.run(TThreadPoolServer.java:269) > at > java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) > at > java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) > at java.lang.Thread.run(Thread.java:748) > Caused by: javax.security.sasl.AuthenticationException: Error validating LDAP > user [Caused by javax.naming.AuthenticationException: [LDAP: error code 49 - > Invalid Credentials]] > at > org.apache.hive.service.auth.LdapAuthenticationProviderImpl.Authenticate(LdapAuthenticationProviderImpl.java:77) > at > org.apache.hive.service.auth.PlainSaslHelper$PlainServerCallbackHandler.handle(PlainSaslHelper.java:106) > at > org.apache.hive.service.auth.PlainSaslServer.evaluateResponse(PlainSaslServer.java:102) > ... 8 more > Caused by: javax.naming.AuthenticationException: [LDAP: error code 49 - > Invalid Credentials] > at com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:3154) > at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:3100) > at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2886) > at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2800) > at com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:319) > at com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:192) > at > com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(LdapCtxFactory.java:210) > at > com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(LdapCtxFactory.java:153) > at > com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactory.java:83) > at > javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:684) > at > javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:313) > at javax.naming.InitialContext.init(InitialContext.java:244) > at javax.naming.InitialContext.<init>(InitialContext.java:216) > at > javax.naming.directory.InitialDirContext.<init>(InitialDirContext.java:101) > at > org.apache.hive.service.auth.LdapAuthenticationProviderImpl.Authenticate(LdapAuthenticationProviderImpl.java:74) > ... 10 more > 22/06/06 17:45:29 ERROR server.TThreadPoolServer: Error occurred during > processing of message. > java.lang.RuntimeException: org.apache.thrift.transport.TTransportException: > Error validating the login > at > org.apache.thrift.transport.TSaslServerTransport$Factory.getTransport(TSaslServerTransport.java:219) > at > org.apache.thrift.server.TThreadPoolServer$WorkerProcess.run(TThreadPoolServer.java:269) > at > java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) > at > java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) > at java.lang.Thread.run(Thread.java:748) > Caused by: org.apache.thrift.transport.TTransportException: Error validating > the login > at > org.apache.thrift.transport.TSaslTransport.sendAndThrowMessage(TSaslTransport.java:232) > at > org.apache.thrift.transport.TSaslTransport.open(TSaslTransport.java:316) > at > org.apache.thrift.transport.TSaslServerTransport.open(TSaslServerTransport.java:41) > at > org.apache.thrift.transport.TSaslServerTransport$Factory.getTransport(TSaslServerTransport.java:216) > ... 4 more {code} > hive-site.xml: > {code:java} > <?xml version="1.0" encoding="UTF-8" standalone="no"?> > <?xml-stylesheet type="text/xsl" href="configuration.xsl"?> > <configuration> > <property> > <name>hive.metastore.uris</name> > <value>thrift://metastore_uri:9083</value> > <description>Thrift URI for the remote metastore. Used by metastore > client to connect to remote metastore.</description> > </property> > <property> > <name>hive.cluster.delegation.token.store.class</name> > <value>org.apache.hadoop.hive.thrift.MemoryTokenStore</value> > <description>Hive defaults to MemoryTokenStore, or > ZooKeeperTokenStore</description> > </property> > <property> > <name>hive.metastore.warehouse.dir</name> > <value>/dtInsight/hive/warehouse</value> > </property> > <property> > <name>hive.exec.scratchdir</name> > <value>/dtInsight/hive/warehouse</value> > </property> > <property> > <name>hive.server2.thrift.port</name> > <value>10008</value> > </property> > <!-- hive enabled ldap --> > <property> > <name>hive.server2.authentication</name> > <value>LDAP</value> > </property> > <property> > <name>hive.server2.authentication.ldap.baseDN</name> > <value>ou=People,dc=dtstack,dc=com</value> > </property> > <property> > <name>hive.server2.authentication.ldap.url</name> > <value>ldap://ldap_ip:389</value> > </property> > <property> > <name>hive.server2.authentication.ldap.userDNPattern</name> > > <value>uid=%s,ou=People,dc=dtstack,dc=com:cn=%s,ou=People,dc=dtstack,dc=com</value> > </property> > </configuration> {code} -- This message was sent by Atlassian Jira (v8.20.7#820007) --------------------------------------------------------------------- To unsubscribe, e-mail: issues-unsubscr...@spark.apache.org For additional commands, e-mail: issues-h...@spark.apache.org