Support Questions
Find answers, ask questions, and share your expertise

Can we user Multiple UserGroupInformation (ugi) objects to authenticate with kerberized hadoop?

New Contributor

I need to authenticate two different HDFS cluster with different realms. But only one works fine when I instantiate another UGI object it gives the error

UserGroupInformation.setConfiguration(conf);
UserGroupInformation.loginUserFromKeytab(Principal , keytab path);

it works fine when I have single Service Principal Name

But when I have multiple SPN having different realm it gives an error

My User 1 and User 2 belongs to different Realms

SPN1 - "hdfs/user1@ALICE.ABC.COM" SPN2 - "hdfs/user2@BOB.ABC.COM"

Caused by: javax.security.auth.login.LoginException: java.lang.IllegalArgumentException: Illegal principal name org.apache.hadoop.security.authentication.util.KerberosName$NoMatchingRule: No rules applied

But DEFAULT rule is there in both the cases

I also heard about Multiple UGI in this document https://bryanbende.com/development/2016/03/20/learning-kerberos-and-ugi

Using Multiple UGI

UserGroupInformation.loginUserFromKeytabAndReturnUGI(user, keytab);

But it also gives the same error how do I achieve these