java.lang.IllegalArgumentException: Illegal principal nameThis is caused by HDFS not resolving the principal from cross domain to the local user in the cluster. To fix the issue, follow the steps below: 1. In Cloudera Manager go to HDFS > Configuration > search for “Trusted Kerberos Realms” > add “EXAMPLE.COM” to list 2. Firstly restart HS2 3. Confirm that we can connect to HS2 from client now 4. Restart the rest of the services This should allow user to connect to HS2 from outside the cluster’s realm.@EXAMPLE.COM: org.apache.hadoop.security.authentication.util.KerberosName$NoMatchingRule: No rules applied to @EXAMPLE.COM at org.apache.hadoop.security.User. (User.java:50) at org.apache.hadoop.security.User. (User.java:43) at org.apache.hadoop.security.UserGroupInformation.createRemoteUser(UserGroupInformation.java:1221) at org.apache.hadoop.security.UserGroupInformation.createRemoteUser(UserGroupInformation.java:1205) at org.apache.hadoop.hive.thrift.HadoopThriftAuthBridge$Server$TUGIAssumingProcessor.process(HadoopThriftAuthBridge.java:689) at org.apache.thrift.server.TThreadPoolServer$WorkerProcess.run(TThreadPoolServer.java:285) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615) at java.lang.Thread.run(Thread.java:745) Caused by: org.apache.hadoop.security.authentication.util.KerberosName$NoMatchingRule: No rules applied to @EXAMPLE.COM at org.apache.hadoop.security.authentication.util.KerberosName.getShortName(KerberosName.java:389) at org.apache.hadoop.security.User. (User.java:48) ... 8 more