[jira] [Commented] (HADOOP-16214) Kerberos name implementation in Hadoop does not accept principals with more than two components

Wed, 27 Mar 2019 09:31:39 -0700 


    [ 
https://issues.apache.org/jira/browse/HADOOP-16214?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16803018#comment-16803018
 ] 

Erik Krogen commented on HADOOP-16214:
--------------------------------------

I see some discussion of Hadoop's handling of Kerberos names containing slashes 
in HADOOP-12751 (starting 
[here|https://issues.apache.org/jira/browse/HADOOP-12751?focusedCommentId=15124818&page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-15124818]).
 It looks like eventually it was decided that it makes sense to allow Kerberos 
identities which contain slashes in a way that don't confirm with Hadoop's 
normal expectation of {{user/host@realm}} (see 
[this|https://issues.apache.org/jira/browse/HADOOP-12751?focusedCommentId=15239016&page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-15239016]).
 So it seems to me that it would be worthwhile to fix this issue.

Ping [~templedf], [~steve_l], [~daryn] who have been involved in previous 
efforts in this area.

> Kerberos name implementation in Hadoop does not accept principals with more 
> than two components
> -----------------------------------------------------------------------------------------------
>
>                 Key: HADOOP-16214
>                 URL: https://issues.apache.org/jira/browse/HADOOP-16214
>             Project: Hadoop Common
>          Issue Type: Bug
>          Components: auth
>            Reporter: Issac Buenrostro
>            Priority: Major
>
> org.apache.hadoop.security.authentication.util.KerberosName is in charge of 
> converting a Kerberos principal to a user name in Hadoop for all of the 
> services requiring authentication.
> Although the Kerberos spec 
> ([https://web.mit.edu/kerberos/krb5-1.5/krb5-1.5.4/doc/krb5-user/What-is-a-Kerberos-Principal_003f.html])
>  allows for an arbitrary number of components in the principal, the Hadoop 
> implementation will throw a "Malformed Kerberos name:" error if the principal 
> has more than two components (because the regex can only read serviceName and 
> hostName).



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to