From 05e4e0c98147c2af45fd0fd9b0ab62287cbe39fc Mon Sep 17 00:00:00 2001 From: Andrew Purtell Date: Fri, 1 May 2026 17:19:00 -0700 Subject: [PATCH] PHOENIX-7837 SecureUserConnectionsIT install permissive auth_to_local rules --- .../apache/phoenix/jdbc/SecureUserConnectionsIT.java | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/phoenix-core/src/it/java/org/apache/phoenix/jdbc/SecureUserConnectionsIT.java b/phoenix-core/src/it/java/org/apache/phoenix/jdbc/SecureUserConnectionsIT.java index 9b0f38df147..cf3e7a3e1e8 100644 --- a/phoenix-core/src/it/java/org/apache/phoenix/jdbc/SecureUserConnectionsIT.java +++ b/phoenix-core/src/it/java/org/apache/phoenix/jdbc/SecureUserConnectionsIT.java @@ -103,7 +103,17 @@ public static synchronized void setupKdc() throws Exception { conf.setBoolean(User.HBASE_SECURITY_AUTHORIZATION_CONF_KEY, true); conf.set(HConstants.CLIENT_CONNECTION_REGISTRY_IMPL_CONF_KEY, ZKConnectionInfo.ZK_REGISTRY_NAME); + // Install permissive auth_to_local rules so that this test can run on a developer + // workstation that has an active Kerberos TGT for an unrelated realm. Without this, + // ConnectionInfo.create -> User.getCurrent -> UGI.getLoginUser will commit the OS-level + // Kerberos principal through HadoopLoginModule, and KerberosName.getShortName will throw + // NoMatchingRule because the test's default realm ("EXAMPLE.COM", set by + // updateDefaultRealm) does not match the developer's real-world principal. + conf.set("hadoop.security.auth_to_local", "RULE:[1:$1] RULE:[2:$1] DEFAULT"); UserGroupInformation.setConfiguration(conf); + // Belt-and-suspenders: KerberosName caches its rules statically across tests, so make + // sure our permissive rules are the ones in effect. + KerberosName.setRules("RULE:[1:$1] RULE:[2:$1] DEFAULT"); // Clear the cached singletons so we can inject our own. InstanceResolver.clearSingletons();