[
https://issues.apache.org/jira/browse/HADOOP-11683?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15115110#comment-15115110
]
Kai Zheng commented on HADOOP-11683:
------------------------------------
bq. I think it is important to recognize that principal -> username conversion
happens all over the stack.
Agree, this is similar to the user groups mapping behaviour. The configurations
and referenced providers introduced here should be the same on all the nodes.
bq. if a non-Java AM decides to provide user auth (think Slider), it doesn't
appear to have a way to access this functionality without using JNI.
I'm not sure I got this, but with the current codes, non-Java AMs are already
needing to access {{HadoopKerberosName}} or use the current mapping method via
the configuration {{auth_to_local}} I guess? This work keeps the behaviour and
introduced pluggable provider mechanism but hasn't provided any plugin provider
yet.
> Need a plugin API to translate long principal names to local OS user names
> arbitrarily
> --------------------------------------------------------------------------------------
>
> Key: HADOOP-11683
> URL: https://issues.apache.org/jira/browse/HADOOP-11683
> Project: Hadoop Common
> Issue Type: Improvement
> Components: security
> Affects Versions: 2.6.0
> Reporter: Sunny Cheung
> Assignee: roger mak
> Attachments: HADOOP-11683.001.patch, HADOOP-11683.002.patch,
> HADOOP-11683.003.patch
>
>
> We need a plugin API to translate long principal names (e.g.
> [email protected]) to local OS user names (e.g. user123456) arbitrarily.
> For some organizations the name translation is straightforward (e.g.
> [email protected] to john_doe), and the hadoop.security.auth_to_local
> configurable mapping is sufficient to resolve this (see HADOOP-6526).
> However, in some other cases the name translation is arbitrary and cannot be
> generalized by a set of translation rules easily.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
