[
https://issues.apache.org/jira/browse/HADOOP-15996?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16721798#comment-16721798
]
Bolke de Bruin commented on HADOOP-15996:
-----------------------------------------
I think there are 3 types of plugin to be created.
# "system" -> using the native Kerberos Java interface to determine
auth_to_local rules specified in krb5.conf and apply these according to
MIT/Heimdal documentation. Use this in case Java 8 is available
# "compatible" -> Follows MIT/Heimdal evaluation, but rules are specified in
Hadoop configuration. This is for Java 7 support, see below.
# "old_hadoop" (or "hadoop", "legacy") use the current implementation
(aside from maybe "custom" if we ant to support that).
For "system" most of the ground work is already in place, but there are a few
things to consider.
* Hadoop already uses the native Kerberos interface in KerberosUtil, it only
needs a extension (new method) to support accessing the right information
* While Kerberos 5 MIT/Heimdal both support multiple default realms
(default_realm can actually list multiple realms) Hadoop and Java 7 don't
* Java 7 picks up the first auth_to_local specification and returns it as a
String separated by " ". There is no way to determine if this actually the
auth_to_local belonging to the realm we want to evaluate for without changing a
field from private to public (in Java 8 it is possible without resorting to
this).
* We cannot 'copy' the Java 8 version as it is under GPL
* Some parsing needs to be done in order to split the rules properly when
returned from Java 7
Ie. if we don't want to resort to declaring a private field public we cannot
guarantee security in Java 7 and it will be hard anyway. Therefore, I think we
should have "system" only available to java 8 users, thus Hadoop >= 3.
This can be managed without additional dependencies as all required are part of
the JDK.
> Plugin interface to support more complex usernames in Hadoop
> ------------------------------------------------------------
>
> Key: HADOOP-15996
> URL: https://issues.apache.org/jira/browse/HADOOP-15996
> Project: Hadoop Common
> Issue Type: New Feature
> Components: security
> Reporter: Eric Yang
> Priority: Major
>
> Hadoop does not allow support of @ character in username in recent security
> mailing list vote to revert HADOOP-12751. Hadoop auth_to_local rule must
> match to authorize user to login to Hadoop cluster. This design does not
> work well in multi-realm environment where identical username between two
> realms do not map to the same user. There is also possibility that lossy
> regex can incorrectly map users. In the interest of supporting multi-realms,
> it maybe preferred to pass principal name without rewrite to uniquely
> distinguish users. This jira is to revisit if Hadoop can support full
> principal names without rewrite and provide a plugin to override Hadoop's
> default implementation of auth_to_local for multi-realm use case.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
---------------------------------------------------------------------
To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: common-issues-h...@hadoop.apache.org
