Bolke de Bruin created HADOOP-12751:
---------------------------------------
Summary: While using kerberos Hadoop incorrectly assumes names
with '@' to be non-simple
Key: HADOOP-12751
URL: https://issues.apache.org/jira/browse/HADOOP-12751
Project: Hadoop Common
Issue Type: Bug
Components: security
Affects Versions: 2.7.2
Reporter: Bolke de Bruin
Priority: Critical
In the scenario of a trust between two directories, eg. FreeIPA (ipa.local) and
Active Directory (ad.local) users can be made available on the OS level by
something like sssd. The trusted users will be of the form '[email protected]'
while other users are will not contain the domain. Executing 'id -Gn
[email protected]' will successfully return the groups the user belongs to if
configured correctly.
However, it is assumed by Hadoop that users of the format with '@' cannot be
correct. This code is in KerberosName.java and seems to be a validator if the
'auth_to_local' rules are applied correctly.
In my opinion this should be removed or changed to a different kind of check or
maybe logged as a warning while still proceeding, as the current behavior
limits integration possibilities with other standard tools.
Workaround are difficult to apply (by having a rewrite by system tools to for
example user_ad_local) due to down stream consequences.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
