[jira] [Commented] (HADOOP-15996) Plugin interface to support more complex usernames in Hadoop

Sat, 22 Dec 2018 23:45:11 -0800 


    [ 
https://issues.apache.org/jira/browse/HADOOP-15996?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16727824#comment-16727824
 ] 

Bolke de Bruin commented on HADOOP-15996:
-----------------------------------------

[~eyang] thanks for the stack trace. I'm trying to setup my own full testing 
env, but currently being on a low bandwidth connection makes this a bit 
challenge.

Still this remains suspicious: KerberosName (and HadoopKerberosName) start out 
with "null" rules. Obviously, in your  environment these get set somewhere. 
This either happens by UserGroupInformation.setConfiguration, 
HadoopKerberosName.setConfiguration or (Hadoop)KerberosName.setRules . There is 
no other way as there is no explicit mapping from 
"hadoop.security.auth_to_local" to "kerberos.name.rules" otherwise.

I'll look into your suggestion in the meantime.

 

> Plugin interface to support more complex usernames in Hadoop
> ------------------------------------------------------------
>
>                 Key: HADOOP-15996
>                 URL: https://issues.apache.org/jira/browse/HADOOP-15996
>             Project: Hadoop Common
>          Issue Type: New Feature
>          Components: security
>            Reporter: Eric Yang
>            Assignee: Bolke de Bruin
>            Priority: Major
>         Attachments: 0001-HADOOP-15996-Make-auth-to-local-configurable.patch, 
> 0001-Simple-trial-of-using-krb5.conf-for-auth_to_local-ru.patch, 
> 0002-HADOOP-15996-Make-auth-to-local-configurable.patch, 
> 0003-HADOOP-15996-Make-auth-to-local-configurable.patch
>
>
> Hadoop does not allow support of @ character in username in recent security 
> mailing list vote to revert HADOOP-12751.  Hadoop auth_to_local rule must 
> match to authorize user to login to Hadoop cluster.  This design does not 
> work well in multi-realm environment where identical username between two 
> realms do not map to the same user.  There is also possibility that lossy 
> regex can incorrectly map users.  In the interest of supporting multi-realms, 
> it maybe preferred to pass principal name without rewrite to uniquely 
> distinguish users.  This jira is to revisit if Hadoop can support full 
> principal names without rewrite and provide a plugin to override Hadoop's 
> default implementation of auth_to_local for multi-realm use case.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

---------------------------------------------------------------------
To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: common-issues-h...@hadoop.apache.org

Reply via email to