[ https://issues.apache.org/jira/browse/SPARK-42947?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17755180#comment-17755180 ]
Ignite TC Bot commented on SPARK-42947: --------------------------------------- User 'liujiayi771' has created a pull request for this issue: https://github.com/apache/spark/pull/40577 > Spark Thriftserver LDAP should not use DN pattern if user contains domain > ------------------------------------------------------------------------- > > Key: SPARK-42947 > URL: https://issues.apache.org/jira/browse/SPARK-42947 > Project: Spark > Issue Type: Bug > Components: SQL > Affects Versions: 3.4.0 > Reporter: Jiayi Liu > Priority: Major > > When the LDAP provider has domain configuration, such as Active Directory, > the principal should not be constructed according to the DN pattern, but the > username containing the domain should be directly passed to the LDAP provider > as the principal. We can refer to the implementation of Hive LdapUtils. > When the username contains a domain or domain passes from > hive.server2.authentication.ldap.Domain configuration, if we construct the > principal according to the DN pattern (For example, > uid=user@domain,dc=test,dc=com), we will get the following error: > {code:java} > 23/03/28 11:01:48 ERROR TSaslTransport: SASL negotiation failure > javax.security.sasl.SaslException: Error validating the login > at > org.apache.hive.service.auth.PlainSaslServer.evaluateResponse(PlainSaslServer.java:108) > ~[spark-hive-thriftserver_2.12-3.3.1.jar:3.3.1] > at > org.apache.thrift.transport.TSaslTransport$SaslParticipant.evaluateChallengeOrResponse(TSaslTransport.java:537) > ~[libthrift-0.12.0.jar:0.12.0] > at > org.apache.thrift.transport.TSaslTransport.open(TSaslTransport.java:283) > ~[libthrift-0.12.0.jar:0.12.0] > at > org.apache.thrift.transport.TSaslServerTransport.open(TSaslServerTransport.java:43) > ~[libthrift-0.12.0.jar:0.12.0] > at > org.apache.thrift.transport.TSaslServerTransport$Factory.getTransport(TSaslServerTransport.java:223) > ~[libthrift-0.12.0.jar:0.12.0] > at > org.apache.thrift.server.TThreadPoolServer$WorkerProcess.run(TThreadPoolServer.java:293) > ~[libthrift-0.12.0.jar:0.12.0] > at > java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) > ~[?:1.8.0_352] > at > java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) > ~[?:1.8.0_352] > at java.lang.Thread.run(Thread.java:750) ~[?:1.8.0_352] > Caused by: javax.security.sasl.AuthenticationException: Error validating LDAP > user > at > org.apache.hive.service.auth.LdapAuthenticationProviderImpl.Authenticate(LdapAuthenticationProviderImpl.java:76) > ~[spark-hive-thriftserver_2.12-3.3.1.jar:3.3.1] > at > org.apache.hive.service.auth.PlainSaslHelper$PlainServerCallbackHandler.handle(PlainSaslHelper.java:105) > ~[spark-hive-thriftserver_2.12-3.3.1.jar:3.3.1] > at > org.apache.hive.service.auth.PlainSaslServer.evaluateResponse(PlainSaslServer.java:101) > ~[spark-hive-thriftserver_2.12-3.3.1.jar:3.3.1] > ... 8 more > Caused by: javax.naming.AuthenticationException: [LDAP: error code 49 - > 80090308: LdapErr: DSID-0C0903D9, comment: AcceptSecurityContext error, data > 52e, v2580] > at com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:3261) > ~[?:1.8.0_352] > at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:3207) > ~[?:1.8.0_352] > at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2993) > ~[?:1.8.0_352] > at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2907) ~[?:1.8.0_352] > at com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:347) ~[?:1.8.0_352] > at > com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxFromUrl(LdapCtxFactory.java:229) > ~[?:1.8.0_352] > at > com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:189) > ~[?:1.8.0_352] > at > com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(LdapCtxFactory.java:247) > ~[?:1.8.0_352] > at > com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(LdapCtxFactory.java:154) > ~[?:1.8.0_352] > at > com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactory.java:84) > ~[?:1.8.0_352] > at > javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:695) > ~[?:1.8.0_352] > at > javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:313) > ~[?:1.8.0_352] > at javax.naming.InitialContext.init(InitialContext.java:244) > ~[?:1.8.0_352] > at javax.naming.InitialContext.<init>(InitialContext.java:216) > ~[?:1.8.0_352] > at > javax.naming.directory.InitialDirContext.<init>(InitialDirContext.java:101) > ~[?:1.8.0_352] > at > org.apache.hive.service.auth.LdapAuthenticationProviderImpl.Authenticate(LdapAuthenticationProviderImpl.java:73) > ~[spark-hive-thriftserver_2.12-3.3.1.jar:3.3.1] > at > org.apache.hive.service.auth.PlainSaslHelper$PlainServerCallbackHandler.handle(PlainSaslHelper.java:105) > ~[spark-hive-thriftserver_2.12-3.3.1.jar:3.3.1] > at > org.apache.hive.service.auth.PlainSaslServer.evaluateResponse(PlainSaslServer.java:101) > ~[spark-hive-thriftserver_2.12-3.3.1.jar:3.3.1] > ... 8 more > {code} > we should pass user@domain directly to the LDAP provider, just like > HiveServer did. -- This message was sent by Atlassian Jira (v8.20.10#820010) --------------------------------------------------------------------- To unsubscribe, e-mail: issues-unsubscr...@spark.apache.org For additional commands, e-mail: issues-h...@spark.apache.org