jerqi commented on code in PR #6778:
URL: https://github.com/apache/gravitino/pull/6778#discussion_r2020659067
##########
server-common/src/main/java/org/apache/gravitino/server/authentication/KerberosAuthenticator.java:
##########
@@ -170,14 +168,15 @@ private Principal retrievePrincipalFromToken(String
serverPrincipal, byte[] clie
throw new UnauthorizedException("GssContext isn't established",
challenge);
}
- // Usually principal names are in the form 'user/instance@REALM' or
'user@REALM'.
- List<String> principalComponents =
- Splitter.on('@').splitToList(gssContext.getSrcName().toString());
- if (principalComponents.size() != 2) {
- throw new UnauthorizedException("Principal has wrong format",
AuthConstants.NEGOTIATE);
- }
-
- String user = principalComponents.get(0);
+ // Valid Kerberos principal formats (both require realm suffix):
+ // 1. User principal with instance: 'username/instance@REALM' (e.g.
'user1/ho...@example.com')
+ // 2. Basic user principal: 'username@REALM' (e.g. 'us...@example.com')
+ //
+ // HMS Compatibility Notice:
+ // 1. Realm-less with instance format (e.g. 'username/instance') will be
rejected by HMS
Review Comment:
We won't give Hive HMS `username/instance` if we use origin logic. Maybe we
should use another solution. You can see HiveProxyPlugin#69Line.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscr...@gravitino.apache.org
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org
