[
https://issues.apache.org/jira/browse/HADOOP-12751?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16329726#comment-16329726
]
Konstantin Shvachko edited comment on HADOOP-12751 at 1/18/18 12:09 AM:
------------------------------------------------------------------------
Attached a patch for branch-2.7. Cherry picked all changes from 2.8 commit
except {{KDiag}}, because diagnostic class is not in 2.7.
LMK if that works.
was (Author: shv):
Attached a patch for branch-2.7. Cherry picked all changes from 2.8 commit
except {{KDiag}}, because diagnostic class is not in 2.7.
LMK of that works.
> While using kerberos Hadoop incorrectly assumes names with '@' to be
> non-simple
> -------------------------------------------------------------------------------
>
> Key: HADOOP-12751
> URL: https://issues.apache.org/jira/browse/HADOOP-12751
> Project: Hadoop Common
> Issue Type: Bug
> Components: security
> Affects Versions: 2.7.2
> Environment: kerberos
> Reporter: Bolke de Bruin
> Assignee: Bolke de Bruin
> Priority: Critical
> Labels: kerberos
> Fix For: 2.8.0, 3.0.0-alpha1
>
> Attachments: 0001-HADOOP-12751-leave-user-validation-to-os.patch,
> 0001-Remove-check-for-user-name-characters-and.patch,
> 0002-HADOOP-12751-leave-user-validation-to-os.patch,
> 0003-HADOOP-12751-leave-user-validation-to-os.patch,
> 0004-HADOOP-12751-leave-user-validation-to-os.patch,
> 0005-HADOOP-12751-leave-user-validation-to-os.patch,
> 0006-HADOOP-12751-leave-user-validation-to-os.patch,
> 0007-HADOOP-12751-leave-user-validation-to-os.patch,
> 0007-HADOOP-12751-leave-user-validation-to-os.patch,
> 0008-HADOOP-12751-leave-user-validation-to-os.patch,
> 0008-HADOOP-12751-leave-user-validation-to-os.patch, HADOOP-12751-009.patch,
> HADOOP-12751-branch-2.7.009.patch
>
>
> In the scenario of a trust between two directories, eg. FreeIPA (ipa.local)
> and Active Directory (ad.local) users can be made available on the OS level
> by something like sssd. The trusted users will be of the form '[email protected]'
> while other users are will not contain the domain. Executing 'id -Gn
> [email protected]' will successfully return the groups the user belongs to if
> configured correctly.
> However, it is assumed by Hadoop that users of the format with '@' cannot be
> correct. This code is in KerberosName.java and seems to be a validator if the
> 'auth_to_local' rules are applied correctly.
> In my opinion this should be removed or changed to a different kind of check
> or maybe logged as a warning while still proceeding, as the current behavior
> limits integration possibilities with other standard tools.
> Workaround are difficult to apply (by having a rewrite by system tools to for
> example user_ad_local) due to down stream consequences.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
