apache
Enable Kerberos. The _HOST part in the SPN HTTP/_HOST account was not replaced with the actual hostname, resulting in an authentication error
Version
0.9.0
Describe what's wrong
I have integrated the gravitino 0.9.0 version into ambari 2.7.8. My cluster has enabled Kerberos authentication. My service's kerberos.json configuration is: { "services": [ { "name": "GRAVITINO", "identities": [ { "name": "gravitino_smokeuser", "reference": "/smokeuser" }, { "name": "gravitino_user", "principal": { "value": "HTTP/_HOST@${realm}", "type" : "user", "local_username" : "${gravitino-env/gravitino_user}", "configuration": "gravitino-conf/gravitino.authenticator.kerberos.principal" }, "keytab": { "file": "${keytab_dir}/spnego.headless.keytab", "owner": { "name": "${gravitino-env/gravitino_user}", "access": "r" }, "group": { "name": "${cluster-env/user_group}", "access": "r" }, "configuration": "gravitino-conf/gravitino.authenticator.kerberos.keytab" } } ], "configurations": [ { "gravitino-conf": { "gravitino.authenticators": "kerberos" } } ], "components": [ { "name": "GRAVITINO_SERVER" } ] } ] }
The corresponding authentication configuration in gravitino.conf is as follows:
The host names of my three hosts are: kk1, kk2, and kk3.
I used a regular account for authentication: kinit testaa, and then operated the API using curl --negotiate -u : http://xxx:8090/xxx. However, the backend log reported a Kerberos authentication error.
Error message and/or stacktrace
No screenshots were provided for the specific error. The error occurred during the authentication process when the _HOST part of the principal "HTTP/_HOST@${realm}" was not replaced with the actual hostname "kk1". For example: HTTP/kk1@${realm}
How to reproduce
Please refer to the description I provided earlier.
Additional context
No response
I have already fixed this issue in my production environment. The PR is as follows: https://github.com/apache/gravitino/pull/8874. Please refer to it.