[
https://issues.apache.org/jira/browse/HADOOP-15996?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16725380#comment-16725380
]
Larry McCay commented on HADOOP-15996:
--------------------------------------
[~bolke] - I can certainly see this being a reasonable outcome of discussion on
this JIRA. I also can see a benefit to have distinct plugins or profiles here
where the semantics can be clearly articulated and documented and maintained.
Continuing the existing pattern of more config knobs to tweak in different
combinations that can end up with unexpected results may be something we want
to avoid.
If there is any desire to continue discussion and brainstorming around a plugin
mechanism here then the current patch should probably be broken out as a
separate JIRA as a new and possibly future config based approach.
This then allows us to refactor the new code from that patch into plugins if
that is the direction we want and doesn't lose track of this JIRA discussion.
I will start reviewing your patch here to make sure that it is a simple config
setting to switch between semantics and that it is legacy by default. We can
move discussion of the patch into a separate JIRA as needed.
Let's make sure that the differences between the two settings are fully
described - so that admins know exactly what they are setting. From there we
can determine what to put in docs and in READMEs.
> Plugin interface to support more complex usernames in Hadoop
> ------------------------------------------------------------
>
> Key: HADOOP-15996
> URL: https://issues.apache.org/jira/browse/HADOOP-15996
> Project: Hadoop Common
> Issue Type: New Feature
> Components: security
> Reporter: Eric Yang
> Assignee: Bolke de Bruin
> Priority: Major
> Attachments: 0001-HADOOP-15996-Make-auth-to-local-configurable.patch,
> 0001-Simple-trial-of-using-krb5.conf-for-auth_to_local-ru.patch
>
>
> Hadoop does not allow support of @ character in username in recent security
> mailing list vote to revert HADOOP-12751. Hadoop auth_to_local rule must
> match to authorize user to login to Hadoop cluster. This design does not
> work well in multi-realm environment where identical username between two
> realms do not map to the same user. There is also possibility that lossy
> regex can incorrectly map users. In the interest of supporting multi-realms,
> it maybe preferred to pass principal name without rewrite to uniquely
> distinguish users. This jira is to revisit if Hadoop can support full
> principal names without rewrite and provide a plugin to override Hadoop's
> default implementation of auth_to_local for multi-realm use case.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
