[
https://issues.apache.org/jira/browse/SPARK-42947?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Jiayi Liu updated SPARK-42947:
------------------------------
Description:
When the LDAP provider includes domain configuration, such as Active Directory,
the principal should not be constructed according to the DN pattern, but the
user containing the domain should be directly passed to the LDAP provider as
the principal. We can refer to the implementation of Hive LdapUtils.
When the username contains a domain or domain passes from
hive.server2.authentication.ldap.Domain configuration, if we construct the
principal according to the DN pattern (For example,
uid=user@domain,dc=test,dc=com), we will get the following error:
```
23/03/28 11:01:48 ERROR TSaslTransport: SASL negotiation failure
javax.security.sasl.SaslException: Error validating the login
at
org.apache.hive.service.auth.PlainSaslServer.evaluateResponse(PlainSaslServer.java:108)
~[spark-hive-thriftserver_2.12-3.3.1.jar:3.3.1]
at
org.apache.thrift.transport.TSaslTransport$SaslParticipant.evaluateChallengeOrResponse(TSaslTransport.java:537)
~[libthrift-0.12.0.jar:0.12.0]
at
org.apache.thrift.transport.TSaslTransport.open(TSaslTransport.java:283)
~[libthrift-0.12.0.jar:0.12.0]
at
org.apache.thrift.transport.TSaslServerTransport.open(TSaslServerTransport.java:43)
~[libthrift-0.12.0.jar:0.12.0]
at
org.apache.thrift.transport.TSaslServerTransport$Factory.getTransport(TSaslServerTransport.java:223)
~[libthrift-0.12.0.jar:0.12.0]
at
org.apache.thrift.server.TThreadPoolServer$WorkerProcess.run(TThreadPoolServer.java:293)
~[libthrift-0.12.0.jar:0.12.0]
at
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
~[?:1.8.0_352]
at
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
~[?:1.8.0_352]
at java.lang.Thread.run(Thread.java:750) ~[?:1.8.0_352]
Caused by: javax.security.sasl.AuthenticationException: Error validating LDAP
user
at
org.apache.hive.service.auth.LdapAuthenticationProviderImpl.Authenticate(LdapAuthenticationProviderImpl.java:76)
~[spark-hive-thriftserver_2.12-3.3.1.jar:3.3.1]
at
org.apache.hive.service.auth.PlainSaslHelper$PlainServerCallbackHandler.handle(PlainSaslHelper.java:105)
~[spark-hive-thriftserver_2.12-3.3.1.jar:3.3.1]
at
org.apache.hive.service.auth.PlainSaslServer.evaluateResponse(PlainSaslServer.java:101)
~[spark-hive-thriftserver_2.12-3.3.1.jar:3.3.1]
... 8 more
Caused by: javax.naming.AuthenticationException: [LDAP: error code 49 -
80090308: LdapErr: DSID-0C0903D9, comment: AcceptSecurityContext error, data
52e, v2580]
at com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:3261)
~[?:1.8.0_352]
at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:3207)
~[?:1.8.0_352]
at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2993)
~[?:1.8.0_352]
at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2907) ~[?:1.8.0_352]
at com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:347) ~[?:1.8.0_352]
at
com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxFromUrl(LdapCtxFactory.java:229)
~[?:1.8.0_352]
at
com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:189)
~[?:1.8.0_352]
at
com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(LdapCtxFactory.java:247)
~[?:1.8.0_352]
at
com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(LdapCtxFactory.java:154)
~[?:1.8.0_352]
at
com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactory.java:84)
~[?:1.8.0_352]
at
javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:695)
~[?:1.8.0_352]
at
javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:313)
~[?:1.8.0_352]
at javax.naming.InitialContext.init(InitialContext.java:244)
~[?:1.8.0_352]
at javax.naming.InitialContext.<init>(InitialContext.java:216)
~[?:1.8.0_352]
at
javax.naming.directory.InitialDirContext.<init>(InitialDirContext.java:101)
~[?:1.8.0_352]
at
org.apache.hive.service.auth.LdapAuthenticationProviderImpl.Authenticate(LdapAuthenticationProviderImpl.java:73)
~[spark-hive-thriftserver_2.12-3.3.1.jar:3.3.1]
at
org.apache.hive.service.auth.PlainSaslHelper$PlainServerCallbackHandler.handle(PlainSaslHelper.java:105)
~[spark-hive-thriftserver_2.12-3.3.1.jar:3.3.1]
at
org.apache.hive.service.auth.PlainSaslServer.evaluateResponse(PlainSaslServer.java:101)
~[spark-hive-thriftserver_2.12-3.3.1.jar:3.3.1]
... 8 more
```
we should pass user@domain directly to the LDAP provider, just like HiveServer
did.
was:When the LDAP provider includes domain configuration, such as Active
Directory, the principal should not be constructed according to the DN pattern,
but the user containing the domain should be directly passed to the LDAP
provider as the principal. We can refer to the implementation of Hive LdapUtils.
> Spark Thriftserver LDAP should not use DN pattern if user contains domain
> -------------------------------------------------------------------------
>
> Key: SPARK-42947
> URL: https://issues.apache.org/jira/browse/SPARK-42947
> Project: Spark
> Issue Type: Bug
> Components: SQL
> Affects Versions: 3.4.0
> Reporter: Jiayi Liu
> Priority: Major
>
> When the LDAP provider includes domain configuration, such as Active
> Directory, the principal should not be constructed according to the DN
> pattern, but the user containing the domain should be directly passed to the
> LDAP provider as the principal. We can refer to the implementation of Hive
> LdapUtils.
> When the username contains a domain or domain passes from
> hive.server2.authentication.ldap.Domain configuration, if we construct the
> principal according to the DN pattern (For example,
> uid=user@domain,dc=test,dc=com), we will get the following error:
> ```
> 23/03/28 11:01:48 ERROR TSaslTransport: SASL negotiation failure
> javax.security.sasl.SaslException: Error validating the login
> at
> org.apache.hive.service.auth.PlainSaslServer.evaluateResponse(PlainSaslServer.java:108)
> ~[spark-hive-thriftserver_2.12-3.3.1.jar:3.3.1]
> at
> org.apache.thrift.transport.TSaslTransport$SaslParticipant.evaluateChallengeOrResponse(TSaslTransport.java:537)
> ~[libthrift-0.12.0.jar:0.12.0]
> at
> org.apache.thrift.transport.TSaslTransport.open(TSaslTransport.java:283)
> ~[libthrift-0.12.0.jar:0.12.0]
> at
> org.apache.thrift.transport.TSaslServerTransport.open(TSaslServerTransport.java:43)
> ~[libthrift-0.12.0.jar:0.12.0]
> at
> org.apache.thrift.transport.TSaslServerTransport$Factory.getTransport(TSaslServerTransport.java:223)
> ~[libthrift-0.12.0.jar:0.12.0]
> at
> org.apache.thrift.server.TThreadPoolServer$WorkerProcess.run(TThreadPoolServer.java:293)
> ~[libthrift-0.12.0.jar:0.12.0]
> at
> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
> ~[?:1.8.0_352]
> at
> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
> ~[?:1.8.0_352]
> at java.lang.Thread.run(Thread.java:750) ~[?:1.8.0_352]
> Caused by: javax.security.sasl.AuthenticationException: Error validating LDAP
> user
> at
> org.apache.hive.service.auth.LdapAuthenticationProviderImpl.Authenticate(LdapAuthenticationProviderImpl.java:76)
> ~[spark-hive-thriftserver_2.12-3.3.1.jar:3.3.1]
> at
> org.apache.hive.service.auth.PlainSaslHelper$PlainServerCallbackHandler.handle(PlainSaslHelper.java:105)
> ~[spark-hive-thriftserver_2.12-3.3.1.jar:3.3.1]
> at
> org.apache.hive.service.auth.PlainSaslServer.evaluateResponse(PlainSaslServer.java:101)
> ~[spark-hive-thriftserver_2.12-3.3.1.jar:3.3.1]
> ... 8 more
> Caused by: javax.naming.AuthenticationException: [LDAP: error code 49 -
> 80090308: LdapErr: DSID-0C0903D9, comment: AcceptSecurityContext error, data
> 52e, v2580]
> at com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:3261)
> ~[?:1.8.0_352]
> at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:3207)
> ~[?:1.8.0_352]
> at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2993)
> ~[?:1.8.0_352]
> at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2907) ~[?:1.8.0_352]
> at com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:347) ~[?:1.8.0_352]
> at
> com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxFromUrl(LdapCtxFactory.java:229)
> ~[?:1.8.0_352]
> at
> com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:189)
> ~[?:1.8.0_352]
> at
> com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(LdapCtxFactory.java:247)
> ~[?:1.8.0_352]
> at
> com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(LdapCtxFactory.java:154)
> ~[?:1.8.0_352]
> at
> com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactory.java:84)
> ~[?:1.8.0_352]
> at
> javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:695)
> ~[?:1.8.0_352]
> at
> javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:313)
> ~[?:1.8.0_352]
> at javax.naming.InitialContext.init(InitialContext.java:244)
> ~[?:1.8.0_352]
> at javax.naming.InitialContext.<init>(InitialContext.java:216)
> ~[?:1.8.0_352]
> at
> javax.naming.directory.InitialDirContext.<init>(InitialDirContext.java:101)
> ~[?:1.8.0_352]
> at
> org.apache.hive.service.auth.LdapAuthenticationProviderImpl.Authenticate(LdapAuthenticationProviderImpl.java:73)
> ~[spark-hive-thriftserver_2.12-3.3.1.jar:3.3.1]
> at
> org.apache.hive.service.auth.PlainSaslHelper$PlainServerCallbackHandler.handle(PlainSaslHelper.java:105)
> ~[spark-hive-thriftserver_2.12-3.3.1.jar:3.3.1]
> at
> org.apache.hive.service.auth.PlainSaslServer.evaluateResponse(PlainSaslServer.java:101)
> ~[spark-hive-thriftserver_2.12-3.3.1.jar:3.3.1]
> ... 8 more
> ```
> we should pass user@domain directly to the LDAP provider, just like
> HiveServer did.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscr...@spark.apache.org
For additional commands, e-mail: issues-h...@spark.apache.org
