[
https://issues.apache.org/jira/browse/HADOOP-12751?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15151013#comment-15151013
]
Bolke de Bruin commented on HADOOP-12751:
-----------------------------------------
Ping [~templedf] [[email protected]]
If you don't mind please provide some feedback. I see 4 options going forward.
1. Keep as-is. Obviously not preferred in my opinion
2. Remove check for '@'. Solves my issues, but is imho less elegant. Might run
into issues triggered by having a '@' in the name.
3. Remove check fully. Leaves check to the OS. Might run into issues triggered
by having a '@' or '/' or not throwing an exception at all.
4. Make it configurable, for example based on a regex. On linux it used to be
NAME_REGEX to verify usernames for /etc/passwd. However this seems not enforced
everywhere (and neither really required) and it might create extra complexity
in supporting this (ie. multiple possibilities).
What are your thoughts?
> While using kerberos Hadoop incorrectly assumes names with '@' to be
> non-simple
> -------------------------------------------------------------------------------
>
> Key: HADOOP-12751
> URL: https://issues.apache.org/jira/browse/HADOOP-12751
> Project: Hadoop Common
> Issue Type: Bug
> Components: security
> Affects Versions: 2.7.2
> Reporter: Bolke de Bruin
> Priority: Critical
> Labels: kerberos
> Attachments: 0001-HADOOP-12751-leave-user-validation-to-os.patch,
> 0001-Remove-check-for-user-name-characters-and.patch,
> 0002-HADOOP-12751-leave-user-validation-to-os.patch,
> 0003-HADOOP-12751-leave-user-validation-to-os.patch,
> 0004-HADOOP-12751-leave-user-validation-to-os.patch
>
>
> In the scenario of a trust between two directories, eg. FreeIPA (ipa.local)
> and Active Directory (ad.local) users can be made available on the OS level
> by something like sssd. The trusted users will be of the form '[email protected]'
> while other users are will not contain the domain. Executing 'id -Gn
> [email protected]' will successfully return the groups the user belongs to if
> configured correctly.
> However, it is assumed by Hadoop that users of the format with '@' cannot be
> correct. This code is in KerberosName.java and seems to be a validator if the
> 'auth_to_local' rules are applied correctly.
> In my opinion this should be removed or changed to a different kind of check
> or maybe logged as a warning while still proceeding, as the current behavior
> limits integration possibilities with other standard tools.
> Workaround are difficult to apply (by having a rewrite by system tools to for
> example user_ad_local) due to down stream consequences.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
