[jira] [Commented] (HADOOP-11683) Need a plugin API to translate long principal names to local OS user names arbitrarily

Wed, 20 Jan 2016 19:04:42 -0800 

    [ 
https://issues.apache.org/jira/browse/HADOOP-11683?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15109956#comment-15109956
 ] 

Aaron T. Myers commented on HADOOP-11683:
-----------------------------------------

Hey Roger, thanks a lot for taking up this effort. I took a quick look at the 
patch and it largely looks good to me. I haven't yet done a detailed code 
review, but I think the direction seems generally appropriate. One small thing 
I think the patch could definitely benefit from would be breaking out the 
documentation/example you have in there out of core-default.xml, and into some 
actual documentation that will end up published on the website. Putting lengthy 
docs explanations in an XML comment is not typically the way we document things.

I can take a harder look at this in the coming days, but I think making that 
change would be a good start.

To answer this question:

bq. Just to confirm, since KerberosName and HadoopKerberosName are intended for 
HDFS and MapReduce projects only (as defined in LimitedPrivate), do we have the 
option to refactor these classes (and maybe provide an interface similar to 
GroupMappingServiceProvider)?

Yes, that should be fine within our compatibility guidelines. Just be sure not 
to break HDFS/MR.

[~aw] - do you have any more detailed comments on the latest patch?

> Need a plugin API to translate long principal names to local OS user names 
> arbitrarily
> --------------------------------------------------------------------------------------
>
>                 Key: HADOOP-11683
>                 URL: https://issues.apache.org/jira/browse/HADOOP-11683
>             Project: Hadoop Common
>          Issue Type: Improvement
>          Components: security
>    Affects Versions: 2.6.0
>            Reporter: Sunny Cheung
>            Assignee: roger mak
>         Attachments: HADOOP-11683.001.patch, HADOOP-11683.002.patch, 
> HADOOP-11683.003.patch
>
>
> We need a plugin API to translate long principal names (e.g. 
> [email protected]) to local OS user names (e.g. user123456) arbitrarily.
> For some organizations the name translation is straightforward (e.g. 
> [email protected] to john_doe), and the hadoop.security.auth_to_local 
> configurable mapping is sufficient to resolve this (see HADOOP-6526). 
> However, in some other cases the name translation is arbitrary and cannot be 
> generalized by a set of translation rules easily.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to