[
https://issues.apache.org/jira/browse/HADOOP-12751?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15239016#comment-15239016
]
Steve Loughran commented on HADOOP-12751:
-----------------------------------------
# we have to leave the auth code in hadoop-auth; things downstream sometimes
import that specific JAR and expect kerberos to be there. (I don't know why the
auth stuff isn't in hadoop-common; that's an inconvenience and a mystery)
# and we can't move Configuration, not when it triggers the loading of
core-default and core-site XML, which would have to be in too, etc, etc.
Here's an alternate proposal.
# the logic to pattern check is retained, the check made
# .... but it's downgraded to a log@info. People can even edit log4j to make
that go away
# kdiag is extended to do the pattern check, add an option to fail if the
username considered invalid
This way: no need to do config of the client, some information gets published
to explain why things aren't working, and KDiag does the full checking
> While using kerberos Hadoop incorrectly assumes names with '@' to be
> non-simple
> -------------------------------------------------------------------------------
>
> Key: HADOOP-12751
> URL: https://issues.apache.org/jira/browse/HADOOP-12751
> Project: Hadoop Common
> Issue Type: Bug
> Components: security
> Affects Versions: 2.7.2
> Environment: kerberos
> Reporter: Bolke de Bruin
> Assignee: Bolke de Bruin
> Priority: Critical
> Labels: kerberos
> Attachments: 0001-HADOOP-12751-leave-user-validation-to-os.patch,
> 0001-Remove-check-for-user-name-characters-and.patch,
> 0002-HADOOP-12751-leave-user-validation-to-os.patch,
> 0003-HADOOP-12751-leave-user-validation-to-os.patch,
> 0004-HADOOP-12751-leave-user-validation-to-os.patch
>
>
> In the scenario of a trust between two directories, eg. FreeIPA (ipa.local)
> and Active Directory (ad.local) users can be made available on the OS level
> by something like sssd. The trusted users will be of the form '[email protected]'
> while other users are will not contain the domain. Executing 'id -Gn
> [email protected]' will successfully return the groups the user belongs to if
> configured correctly.
> However, it is assumed by Hadoop that users of the format with '@' cannot be
> correct. This code is in KerberosName.java and seems to be a validator if the
> 'auth_to_local' rules are applied correctly.
> In my opinion this should be removed or changed to a different kind of check
> or maybe logged as a warning while still proceeding, as the current behavior
> limits integration possibilities with other standard tools.
> Workaround are difficult to apply (by having a rewrite by system tools to for
> example user_ad_local) due to down stream consequences.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
