This is an automated email from the ASF dual-hosted git repository.
kirs pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/doris.git
The following commit(s) were added to refs/heads/master by this push:
new b03c5441077 [Fix](kerberos)Ensure Hadoop Configuration sets kerberos
authentication for HMS access (#55250)
b03c5441077 is described below
commit b03c5441077647b51f35a014bf86739bacadd345
Author: Calvin Kirs <[email protected]>
AuthorDate: Tue Aug 26 09:42:27 2025 +0800
[Fix](kerberos)Ensure Hadoop Configuration sets kerberos authentication for
HMS access (#55250)
### What problem does this PR solve?
When connecting to a Hive Metastore (HMS) that uses Kerberos
authentication, Hadoop clients must have
`hadoop.security.authentication` set to `kerberos`. Without this
setting, RPC calls may fail with authentication errors, such as
"org.apache.hadoop.security.AccessControlException: SIMPLE
authentication is not enabled. Available:[TOKEN, KERBEROS]".
---
.../security/authentication/HadoopKerberosAuthenticator.java | 10 ++++++++++
.../doris/datasource/property/metastore/HMSBaseProperties.java | 1 +
2 files changed, 11 insertions(+)
diff --git
a/fe/fe-common/src/main/java/org/apache/doris/common/security/authentication/HadoopKerberosAuthenticator.java
b/fe/fe-common/src/main/java/org/apache/doris/common/security/authentication/HadoopKerberosAuthenticator.java
index 14dace68b24..4e80fc17a80 100644
---
a/fe/fe-common/src/main/java/org/apache/doris/common/security/authentication/HadoopKerberosAuthenticator.java
+++
b/fe/fe-common/src/main/java/org/apache/doris/common/security/authentication/HadoopKerberosAuthenticator.java
@@ -64,6 +64,11 @@ public class HadoopKerberosAuthenticator implements
HadoopAuthenticator {
if (ugi == null) {
subject = getSubject(config.getKerberosKeytab(),
config.getKerberosPrincipal(), config.isPrintDebugLog());
ugi = Objects.requireNonNull(login(subject), "login result is
null");
+ if (LOG.isDebugEnabled()) {
+ Date lastTicketEndTime = getTicketEndTime(subject);
+ LOG.debug("Kerberos principal: {}, last ticket end time: {}",
+ config.getKerberosPrincipal(), lastTicketEndTime);
+ }
return ugi;
}
if (nextRefreshTime < System.currentTimeMillis()) {
@@ -98,6 +103,11 @@ public class HadoopKerberosAuthenticator implements
HadoopAuthenticator {
lastRefreshTime, nextRefreshTime);
}
}
+ if (LOG.isDebugEnabled()) {
+ Date lastTicketEndTime = getTicketEndTime(subject);
+ LOG.debug("Kerberos principal: {}, last ticket end time: {}",
+ config.getKerberosPrincipal(), lastTicketEndTime);
+ }
return ugi;
}
diff --git
a/fe/fe-core/src/main/java/org/apache/doris/datasource/property/metastore/HMSBaseProperties.java
b/fe/fe-core/src/main/java/org/apache/doris/datasource/property/metastore/HMSBaseProperties.java
index c0ea817d156..473bb6584c9 100644
---
a/fe/fe-core/src/main/java/org/apache/doris/datasource/property/metastore/HMSBaseProperties.java
+++
b/fe/fe-core/src/main/java/org/apache/doris/datasource/property/metastore/HMSBaseProperties.java
@@ -165,6 +165,7 @@ public class HMSBaseProperties {
&& this.hdfsAuthenticationType.equalsIgnoreCase("kerberos")) {
KerberosAuthenticationConfig authenticationConfig = new
KerberosAuthenticationConfig(
this.hdfsKerberosPrincipal, this.hdfsKerberosKeytab,
hiveConf);
+ hiveConf.set("hadoop.security.authentication", "kerberos");
this.hmsAuthenticator =
HadoopAuthenticator.getHadoopAuthenticator(authenticationConfig);
return;
}
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
