[I] Enable Kerberos. The _HOST part in the SPN HTTP/_HOST account was not replaced with the actual hostname, resulting in an authentication error [gravitino]

[via GitHub]

forLp811 opened a new issue, #8873:
URL: https://github.com/apache/gravitino/issues/8873

   ### Version
   
   0.9.0
   
   ### Describe what's wrong
   
   I have integrated the gravitino 0.9.0 version into ambari 2.7.8. My cluster 
has enabled Kerberos authentication. My service's kerberos.json configuration 
is: 
   {
     "services": [
       {
         "name": "GRAVITINO",
         "identities": [
           {
             "name": "gravitino_smokeuser",
             "reference": "/smokeuser"
           },
           {
             "name": "gravitino_user",
             "principal": {
               "value": "HTTP/_HOST@${realm}",
               "type" : "user",
               "local_username" : "${gravitino-env/gravitino_user}",
               "configuration": 
"gravitino-conf/gravitino.authenticator.kerberos.principal"
             },
             "keytab": {
               "file": "${keytab_dir}/spnego.headless.keytab",
               "owner": {
                 "name": "${gravitino-env/gravitino_user}",
                 "access": "r"
               },
               "group": {
                 "name": "${cluster-env/user_group}",
                 "access": "r"
               },
               "configuration": 
"gravitino-conf/gravitino.authenticator.kerberos.keytab"
             }
           }
         ],
         "configurations": [
           {
             "gravitino-conf": {
               "gravitino.authenticators": "kerberos"
             }
           }
         ],
         "components": [
           {
             "name": "GRAVITINO_SERVER"
           }
         ]
       }
     ]
   }
   
   The corresponding authentication configuration in gravitino.conf is as 
follows:
   
   <img width="1086" height="477" alt="Image" 
src="https://github.com/user-attachments/assets/3aef4816-2739-47cb-9d19-86b6635b3af2";
 />
   
   The host names of my three hosts are: kk1, kk2, and kk3.
   
   I used a regular account for authentication: kinit testaa, and then operated 
the API using curl --negotiate -u : http://xxx:8090/xxx. However, the backend 
log reported a Kerberos authentication error.
   
   
   ### Error message and/or stacktrace
   
   No screenshots were provided for the specific error. The error occurred 
during the authentication process when the _HOST part of the principal 
"HTTP/_HOST@${realm}" was not replaced with the actual hostname "kk1". For 
example: HTTP/kk1@${realm}
   
   ### How to reproduce
   
   Please refer to the description I provided earlier.
   
   ### Additional context
   
   _No response_


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscr...@gravitino.apache.org.apache.org

For queries about this service, please contact Infrastructure at:
us...@infra.apache.org