[jira] [Commented] (HADOOP-16023) Support system /etc/krb5.conf for auth_to_local rules

[Bolke de Bruin (JIRA)]

    [ 
https://issues.apache.org/jira/browse/HADOOP-16023?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16737461#comment-16737461
 ] 

Bolke de Bruin commented on HADOOP-16023:
-----------------------------------------

[~daryn] I understand that. Obviously, if it is configured as "system" or 
"native" with documentation that it just does that it would be on purpose. It 
would really help if you can explain a use case when you would want to have two 
different remaps for the same realm? From my perspective it is currently a 
maintenance burden to maintain two sets of auth_to_local rules that are the 
same, but also have their different quirks when they are evaluated. ACL type of 
checks should really be handled at a different layer imho. In any case if you 
want such behavior you now can with the "hadoop" and "mit" mechanisms.

[~eyang] is that really a concern? JNA is already used within Apache Cassandra 
and Apache Druid (incubating), so I assume the risk is already taken by the ASF 
(if any). Anyways, I'll try to make it work and lets see how it behaves. Using 
the parsers of Kerby or the JDK (after they are fixed) is always a possibility.

> Support system /etc/krb5.conf for auth_to_local rules
> -----------------------------------------------------
>
>                 Key: HADOOP-16023
>                 URL: https://issues.apache.org/jira/browse/HADOOP-16023
>             Project: Hadoop Common
>          Issue Type: Improvement
>            Reporter: Bolke de Bruin
>            Assignee: Bolke de Bruin
>            Priority: Major
>              Labels: security
>
> Hadoop has long maintained its own configuration for Kerberos' auth_to_local 
> rules. To the user this is counter intuitive and increases the complexity of 
> maintaining a secure system as the normal way of configuring these 
> auth_to_local rules is done in the site wide krb5.conf usually /etc/krb5.conf.
> With HADOOP-15996 there is now support for configuring how Hadoop should 
> evaluate auth_to_local rules. A "system" mechanism should be added. 
> It should be investigated how to properly parse krb5.conf. JDK seems to be 
> lacking as it is unable to obtain auth_to_local rules due to a bug in its 
> parser. Apache Kerby has an implementation that could be used. A native (C) 
> version is also a possibility. 



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

---------------------------------------------------------------------
To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: common-issues-h...@hadoop.apache.org