@@ -107,6 +107,72 @@ public void testThriftMaxMessageSize() throws Throwable {
107107 cleanUp (dbName , tblName , typeName );
108108 }
109109
110+ @ Test
111+ public void testKerberosProxyUser () throws Exception {
112+ String realUserName = "realuser" ;
113+ String realUserPrincipal = miniKDC .getFullyQualifiedUserPrincipal (realUserName );
114+
115+ // Add the real user principal and generate keytab
116+ miniKDC .addUserPrincipal (realUserName );
117+
118+ // Login real user with valid keytab - this gives us real TGT credentials
119+ UserGroupInformation realUserUgi = miniKDC .loginUser (realUserName );
120+
121+ // Create a proxy user on behalf of the real user
122+ String proxyUserName = "proxyuser@" + miniKDC .getKdcConf ().getProperty ("realm" , "EXAMPLE.COM" );
123+ UserGroupInformation proxyUserUgi = UserGroupInformation .createProxyUser (
124+ proxyUserName , realUserUgi );
125+
126+ proxyUserUgi .doAs (new PrivilegedExceptionAction <Void >() {
127+ @ Override
128+ public Void run () throws Exception {
129+ Logger logger = null ;
130+ StringAppender appender = null ;
131+ try {
132+ UserGroupInformation currentUser = UserGroupInformation .getCurrentUser ();
133+
134+ System .out .println ("Real user: " + currentUser .getRealUser ().getUserName () +
135+ " (auth:" + currentUser .getRealUser ().getAuthenticationMethod () + ")" );
136+ System .out .println ("Proxy user: " + currentUser .getShortUserName () +
137+ " (auth:" + currentUser .getAuthenticationMethod () + ")" );
138+
139+ // Set up log capture to catch "Failed to find any Kerberos tgt" error in logs
140+ logger = LoggerFactory .getLogger ("org.apache.hadoop.hive.metastore.security" );
141+ appender = StringAppender .createStringAppender (null );
142+ appender .addToLogger (logger .getName (), Level .INFO );
143+ appender .start ();
144+
145+ // Attempt to create metastore client connection as Kerberos proxy user
146+ // This should work properly (after TUGIAssumingTransport fix)
147+ IMetaStoreClient client = new HiveMetaStoreClient (conf );
148+
149+ // Clean up
150+ if (client != null ) {
151+ client .close ();
152+ }
153+
154+ // The test has successfully demonstrated:
155+ // 1. Real user has valid Kerberos authentication with real TGT from MiniKdc
156+ // 2. Proxy user is properly created with PROXY authentication method
157+ // 3. TUGIAssumingTransport fix is working - no "Failed to find any Kerberos tgt" error
158+ System .out .println ("Successfully verified Kerberos proxy user setup with real KDC" );
159+
160+ } catch (Exception clientException ) {
161+ // Check the captured logs for the specific "Failed to find any Kerberos tgt" error
162+ if (appender .getOutput ().contains ("Failed to find any Kerberos tgt" )) {
163+ // This is expected behavior before TUGIAssumingTransport fix
164+ Assert .fail ("EXPECTED BEFORE FIX: HMS client creation failed with 'Failed to find any Kerberos tgt' error in logs" );
165+ } else {
166+ Assert .fail ("Unexpected error (not 'Failed to find any Kerberos tgt'): " + clientException .getMessage ());
167+ }
168+ } finally {
169+ appender .removeFromLogger (logger .getName ());
170+ }
171+ return null ;
172+ }
173+ });
174+ }
175+
110176 @ Override
111177 protected HiveMetaStoreClient createClient () throws Exception {
112178 MetastoreConf .setVar (conf , ConfVars .THRIFT_URIS , "thrift://localhost:" + port );
0 commit comments