[
https://issues.apache.org/jira/browse/HADOOP-12751?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15124933#comment-15124933
]
Bolke de Bruin commented on HADOOP-12751:
-----------------------------------------
[~steve_l] I understand that, however the MIT Kerberos implementation does not
force rules to apply, ie they can fall through. Executing "id bolke/joe" works
as expected (returns no such user), although I cannot add such a user locally
it seems. Thus OS does not seem to really care, it gives functional errors, so
per [~templedf] the check for a valid user can be left to the OS.
This means the check is there to protect Hadoop's assumptions and I think the
question is will it create regression within Hadoop somehow and does not
throwing an exception (IOException derived) cause big issues in Hadoop's
internals? Remember the RULEs still apply, so normally "user/host.ex.org@realm"
would be transformed if configured correctly. So this patch would put more
responsibility on the administrator to make sure the rules cover what is
needed, but that is the case anyway with a krb5.conf as well.
Like I mentioned I can re-add the check on '/' to be on the safe side, but I
wonder if it is required.
> While using kerberos Hadoop incorrectly assumes names with '@' to be
> non-simple
> -------------------------------------------------------------------------------
>
> Key: HADOOP-12751
> URL: https://issues.apache.org/jira/browse/HADOOP-12751
> Project: Hadoop Common
> Issue Type: Bug
> Components: security
> Affects Versions: 2.7.2
> Reporter: Bolke de Bruin
> Priority: Critical
> Labels: kerberos
> Attachments: 0001-HADOOP-12751-leave-user-validation-to-os.patch,
> 0002-HADOOP-12751-leave-user-validation-to-os.patch,
> 0003-HADOOP-12751-leave-user-validation-to-os.patch,
> 0004-HADOOP-12751-leave-user-validation-to-os.patch
>
>
> In the scenario of a trust between two directories, eg. FreeIPA (ipa.local)
> and Active Directory (ad.local) users can be made available on the OS level
> by something like sssd. The trusted users will be of the form '[email protected]'
> while other users are will not contain the domain. Executing 'id -Gn
> [email protected]' will successfully return the groups the user belongs to if
> configured correctly.
> However, it is assumed by Hadoop that users of the format with '@' cannot be
> correct. This code is in KerberosName.java and seems to be a validator if the
> 'auth_to_local' rules are applied correctly.
> In my opinion this should be removed or changed to a different kind of check
> or maybe logged as a warning while still proceeding, as the current behavior
> limits integration possibilities with other standard tools.
> Workaround are difficult to apply (by having a rewrite by system tools to for
> example user_ad_local) due to down stream consequences.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
