[jira] [Commented] (HADOOP-15996) Plugin interface to support more complex usernames in Hadoop

[Eric Yang (JIRA)]

    [ 
https://issues.apache.org/jira/browse/HADOOP-15996?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16729784#comment-16729784
 ] 

Eric Yang commented on HADOOP-15996:
------------------------------------

[~bolke] Thank you for the patch 0005 seems to work correctly with toggle flag 
to switch between the two modes.  It would be good to name the patch filename 
as defined in the [contribution 
guideline|https://cwiki.apache.org/confluence/display/HADOOP/How+To+Contribute#HowToContribute-Namingyourpatch].
  This will ensure the pre-commit test is testing the latest patch correctly.

I don't have a problem with the current approach instead of security mailing 
list suggested plugin interface.  However, I will let others comment if 
additional refinement is required before we commit.  Thank you


> Plugin interface to support more complex usernames in Hadoop
> ------------------------------------------------------------
>
>                 Key: HADOOP-15996
>                 URL: https://issues.apache.org/jira/browse/HADOOP-15996
>             Project: Hadoop Common
>          Issue Type: New Feature
>          Components: security
>            Reporter: Eric Yang
>            Assignee: Bolke de Bruin
>            Priority: Major
>         Attachments: 0001-HADOOP-15996-Make-auth-to-local-configurable.patch, 
> 0001-Make-allowing-or-configurable.patch, 
> 0001-Simple-trial-of-using-krb5.conf-for-auth_to_local-ru.patch, 
> 0002-HADOOP-15996-Make-auth-to-local-configurable.patch, 
> 0003-HADOOP-15996-Make-auth-to-local-configurable.patch, 
> 0004-HADOOP-15996-Make-auth-to-local-configurable.patch, 
> 0005-HADOOP-15996-Make-auth-to-local-configurable.patch
>
>
> Hadoop does not allow support of @ character in username in recent security 
> mailing list vote to revert HADOOP-12751.  Hadoop auth_to_local rule must 
> match to authorize user to login to Hadoop cluster.  This design does not 
> work well in multi-realm environment where identical username between two 
> realms do not map to the same user.  There is also possibility that lossy 
> regex can incorrectly map users.  In the interest of supporting multi-realms, 
> it maybe preferred to pass principal name without rewrite to uniquely 
> distinguish users.  This jira is to revisit if Hadoop can support full 
> principal names without rewrite and provide a plugin to override Hadoop's 
> default implementation of auth_to_local for multi-realm use case.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

---------------------------------------------------------------------
To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: common-issues-h...@hadoop.apache.org