org.apache.hadoop.security.authentication.util.KerberosName$NoMatchingRule: No rules applied to admin@TRUSTED.REALM

Apache's JIRA Issue Tracker | Andrejs Dubovskis | 3 years ago
tip
Click on the to mark the solution that helps you, Samebug will learn from it.
As a community member, you’ll be rewarded for you help.
  1. 0

    SOLR security configured accordingly [this document|http://www.cloudera.com/content/cloudera-content/cloudera-docs/CDH5/latest/CDH5-Security-Guide/cdh5sg_search_security.html] User from primary realm (used by Hadoop cluster itself) can access the console, but user from trusted realm can't. {code} Sep 24, 2014 9:30:13 AM org.apache.catalina.core.StandardWrapperValve invoke SEVERE: Servlet.service() for servlet LoadAdminUI threw exception org.apache.hadoop.security.authentication.util.KerberosName$NoMatchingRule: No rules applied to admin@TRUSTED.REALM at org.apache.hadoop.security.authentication.util.KerberosName.getShortName(KerberosName.java:389) at org.apache.hadoop.security.authentication.server.KerberosAuthenticationHandler$2.run(KerberosAuthenticationHandler.java:359) at org.apache.hadoop.security.authentication.server.KerberosAuthenticationHandler$2.run(KerberosAuthenticationHandler.java:329) at java.security.AccessController.doPrivileged(Native Method) at javax.security.auth.Subject.doAs(Subject.java:415) at org.apache.hadoop.security.authentication.server.KerberosAuthenticationHandler.authenticate(KerberosAuthenticationHandler.java:329) at org.apache.hadoop.security.authentication.server.AuthenticationFilter.doFilter(AuthenticationFilter.java:349) at org.apache.solr.servlet.SolrHadoopAuthenticationFilter.doFilter(SolrHadoopAuthenticationFilter.java:148) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) at org.apache.solr.servlet.HostnameFilter.doFilter(HostnameFilter.java:86) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233) at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191) at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127) at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:103) at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109) at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:293) at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:861) at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:606) at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:489) at java.lang.Thread.run(Thread.java:745) {code} Required kerberos auth_to_local rules are defined in hadoop/core-site.xml file and was added to /etc/krb5.conf as well. Another CDH components (for example, Impala) use these rules and allow access for users from trusted domain.

    Apache's JIRA Issue Tracker | 3 years ago | Andrejs Dubovskis
    org.apache.hadoop.security.authentication.util.KerberosName$NoMatchingRule: No rules applied to admin@TRUSTED.REALM

    Root Cause Analysis

    1. org.apache.hadoop.security.authentication.util.KerberosName$NoMatchingRule

      No rules applied to admin@TRUSTED.REALM

      at org.apache.hadoop.security.authentication.util.KerberosName.getShortName()
    2. Apache Hadoop Auth
      KerberosAuthenticationHandler$2.run
      1. org.apache.hadoop.security.authentication.util.KerberosName.getShortName(KerberosName.java:389)
      2. org.apache.hadoop.security.authentication.server.KerberosAuthenticationHandler$2.run(KerberosAuthenticationHandler.java:359)
      3. org.apache.hadoop.security.authentication.server.KerberosAuthenticationHandler$2.run(KerberosAuthenticationHandler.java:329)
      3 frames
    3. Java RT
      Subject.doAs
      1. java.security.AccessController.doPrivileged(Native Method)
      2. javax.security.auth.Subject.doAs(Subject.java:415)
      2 frames
    4. Apache Hadoop Auth
      AuthenticationFilter.doFilter
      1. org.apache.hadoop.security.authentication.server.KerberosAuthenticationHandler.authenticate(KerberosAuthenticationHandler.java:329)
      2. org.apache.hadoop.security.authentication.server.AuthenticationFilter.doFilter(AuthenticationFilter.java:349)
      2 frames
    5. Apache Solr Core
      SolrHadoopAuthenticationFilter.doFilter
      1. org.apache.solr.servlet.SolrHadoopAuthenticationFilter.doFilter(SolrHadoopAuthenticationFilter.java:148)
      1 frame
    6. Glassfish Core
      ApplicationFilterChain.doFilter
      1. org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
      2. org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
      2 frames
    7. Apache Solr Core
      HostnameFilter.doFilter
      1. org.apache.solr.servlet.HostnameFilter.doFilter(HostnameFilter.java:86)
      1 frame
    8. Glassfish Core
      CoyoteAdapter.service
      1. org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
      2. org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
      3. org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233)
      4. org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191)
      5. org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
      6. org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:103)
      7. org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
      8. org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:293)
      8 frames
    9. Grizzly HTTP
      JIoEndpoint$Worker.run
      1. org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:861)
      2. org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:606)
      3. org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:489)
      3 frames
    10. Java RT
      Thread.run
      1. java.lang.Thread.run(Thread.java:745)
      1 frame