0

I need to authenticate two different HDFS cluster with different realms. But only one works fine when I instantiate another UGI object it gives the error

UserGroupInformation.setConfiguration(conf);
UserGroupInformation.loginUserFromKeytab(Principal , keytab path);

it works fine when I have single Service Principal Name

But when I have multiple SPN having different realm it gives an error

My User 1 and User 2 belongs to different Realms

SPN1 - "hdfs/user1@ALICE.ABC.COM" SPN2 - "hdfs/user2@BOB.ABC.COM"

Caused by: javax.security.auth.login.LoginException: java.lang.IllegalArgumentException: Illegal principal name org.apache.hadoop.security.authentication.util.KerberosName$NoMatchingRule: No rules applied

But DEFAULT rule is there in both the cases

I also heard about Multiple UGI in this document https://bryanbende.com/development/2016/03/20/learning-kerberos-and-ugi

Using Multiple UGI

UserGroupInformation.loginUserFromKeytabAndReturnUGI(user, keytab);

But it also gives the same error how do I achieve these

UDIT JOSHI
  • 1,298
  • 12
  • 26
  • `UserGroupInformation.loginUserFromKeytab()` acts on the **static, unique** UGI that is sufficient in 95% of all cases. If you need to manage multiple Kerberos creds then you should note that `loginUserFromKeytabAndReturnUGI()` clearly _**returns an UGI object**_ that you have to manage yourself with `doAs`, cf. https://stackoverflow.com/questions/44815135/will-the-hbase-kerberos-token-expired – Samson Scharfrichter Jan 29 '20 at 23:16
  • But your problem seems to be about using custom Kerberos-principal-to-Hadoop-user rules, to handle cross-realm authentication. Or maybe not. Please explain the context clearly, with examples of user principals, service principals, mapping rules, etc. – Samson Scharfrichter Jan 29 '20 at 23:20
  • Note also tthat the `DEFAULT` rule applies only to UPN / SPN in the same realm as the Hadoop cluster. Which is not the case for you, apparently. – Samson Scharfrichter Jan 29 '20 at 23:23
  • @SamsonScharfrichter Yes, I need to authenticate my service with different Realms but UserGroupInformation.loginUserFromKeytab() allows rule for 1 realm only . I also tried to reset the ugi object and then change the configuration but it doesn't work for me – UDIT JOSHI Jan 30 '20 at 04:58
  • 1
    Honestly, your problem makes no sense. Your cluster _as a whole_ can belong to just one realm. But then, individual users from others realms can connect -- it simply requires "trust" (and some client-side configuration) between realms. In other words, cross-realm auth implies (a) the Kerberos back-ends and (b) the client. Not the Hadoop services. – Samson Scharfrichter Jan 30 '20 at 08:15
  • And please stop using the word "user" when it is actually a "service" (with a SPN i.e. Service Principal Name `svc_code/host.fqdn^@REALM`) – Samson Scharfrichter Jan 30 '20 at 08:17
  • Also, Kerberos does **not** work with IP addresses, only with canonical DNS names (i.e. the name matches the IP and the IP matches exactly that name). For obvious security reasons. There are config tweaks to change that but the Hadoop libs don't work well then. – Samson Scharfrichter Jan 30 '20 at 08:19
  • Can we build cross-realm trust between both the realms in the same java programme so that both the configuration works well in the same JVM instance – UDIT JOSHI Jan 30 '20 at 09:26
  • without changing Kerberos backend? – UDIT JOSHI Jan 30 '20 at 09:46
  • You need trust between back-ends (one-way at least so that the cluster-side KDC accepts to create service tickets from a TGT created by client-side KDC) **plus** client config to get the `capath` between their own KDC and the cluster-side KDC. Maybe _BOB.ABC.COM_ > _ABC.COM_ > _ALICE.ABC.COM_ (implicit hierarchy traversal) – Samson Scharfrichter Jan 30 '20 at 16:07
  • In short, what you want to do will require high-level expertise from your AD / LDAP admins and from Hadoop experts, plus days (or even weeks) of debugging. Google for `cross realm trust site:cloudera.com` to get a highly simplified overview. – Samson Scharfrichter Jan 30 '20 at 16:16
  • I resolved it will Jass it can refresh the config . I have another issue with that https://stackoverflow.com/questions/60147996/accesscontrolexception-simple-authentication-is-not-enabled-when-list-hadoop-co – UDIT JOSHI Feb 10 '20 at 10:11

0 Answers0