Support Questions
Find answers, ask questions, and share your expertise
Announcements
Alert: Welcome to the Unified Cloudera Community. Former HCC members be sure to read and learn how to activate your account here.

Can we user Multiple UserGroupInformation (ugi) objects to authenticate with kerberized hadoop?

Can we user Multiple UserGroupInformation (ugi) objects to authenticate with kerberized hadoop?

New Contributor

I need to authenticate two different HDFS cluster with different realms. But only one works fine when I instantiate another UGI object it gives the error

UserGroupInformation.setConfiguration(conf);
UserGroupInformation.loginUserFromKeytab(Principal , keytab path);

it works fine when I have single Service Principal Name

But when I have multiple SPN having different realm it gives an error

My User 1 and User 2 belongs to different Realms

SPN1 - "hdfs/user1@ALICE.ABC.COM" SPN2 - "hdfs/user2@BOB.ABC.COM"

Caused by: javax.security.auth.login.LoginException: java.lang.IllegalArgumentException: Illegal principal name org.apache.hadoop.security.authentication.util.KerberosName$NoMatchingRule: No rules applied

But DEFAULT rule is there in both the cases

I also heard about Multiple UGI in this document https://bryanbende.com/development/2016/03/20/learning-kerberos-and-ugi

Using Multiple UGI

UserGroupInformation.loginUserFromKeytabAndReturnUGI(user, keytab);

But it also gives the same error how do I achieve these

Don't have an account?
Coming from Hortonworks? Activate your account here