[
https://issues.apache.org/jira/browse/HADOOP-14229?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15981381#comment-15981381
]
Allen Wittenauer commented on HADOOP-14229:
-------------------------------------------
I'm going to +1 with the caveat that this makes the docs a little more clear,
but doesn't really solve a key problem:
{code}
$ bin/hadoop kerbname nn/[email protected]
Name: nn/[email protected] to hdfs
{code}
This is sort of hinted at in the docs:
{code}
The default rule maps the principal host/[email protected]
to system user host. The default rule will not be appropriate for most clusters.
{code}
It then goes on to provide the example rule which doesn't actually fix that
warning and all clusters still have super user access on every other cluster in
the same realm. At which point it becomes clear the documentation is mostly an
exercise in obfuscation. You're better off just using hdfs/, yarn/, etc for
daemons and avoid all this mapping baloney anyway (which is what most people
that I know of do).
> hadoop.security.auth_to_local example is incorrect in the documentation
> -----------------------------------------------------------------------
>
> Key: HADOOP-14229
> URL: https://issues.apache.org/jira/browse/HADOOP-14229
> Project: Hadoop Common
> Issue Type: Bug
> Reporter: Andras Bokor
> Assignee: Andras Bokor
> Attachments: HADOOP-14229.01.patch, HADOOP-14229.02.patch
>
>
> Let's see jhs as example:
> {code}RULE:[2:$1@$0](jhs/.*@.*REALM.TLD)s/.*/mapred/{code}
> That means principal has 2 components (jhs/myhost@REALM).
> The second column converts this to jhs@REALM. So the regex will not match on
> this since regex expects / in the principal.
> My suggestion is
> {code}RULE:[2:$1](jhs)s/.*/mapred/{code}
> https://hadoop.apache.org/docs/current/hadoop-project-dist/hadoop-common/SecureMode.html
--
This message was sent by Atlassian JIRA
(v6.3.15#6346)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
