[
https://issues.apache.org/jira/browse/HADOOP-16023?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16811675#comment-16811675
]
Bolke de Bruin edited comment on HADOOP-16023 at 4/6/19 7:49 PM:
-----------------------------------------------------------------
[~eyang] getting back to this. Yes that format should be supported, please note
that by default the 'L' parameter is not supported in this case as normal
Kerberos is not aware of it and it would make the krb5.conf invalid.
I have been thinking about this a little bit more: instead of making this a
rule mechanism we could also make it pickup the rules from /etc/krb5.conf with
the special rule in hadoop's config of "\{SYSTEM}", which should then only be
allowed as the first and last rule. This would make it available to both
mechanisms and be more true to its nature as it is not really the system's
mechanism that is applied.
UPDATE; Thinking about it a bit more... supporting multiple realms as per your
example is I think a new mechanism, as both current mechanisms do not allow for
that. So it would require a "system" mechanism support.
What are your thoughts?
was (Author: bolke):
[~eyang] getting back to this. Yes that format should be supported, please note
that by default the 'L' parameter is not supported in this case as normal
Kerberos is not aware of it and it would make the krb5.conf invalid.
I have been thinking about this a little bit more: instead of making this a
rule mechanism we could also make it pickup the rules from /etc/krb5.conf with
the special rule in hadoop's config of "\{SYSTEM}", which should then only be
allowed as the first and last rule. This would make it available to both
mechanisms and be more true to its nature as it is not really the system's
mechanism that is applied.
> Support system /etc/krb5.conf for auth_to_local rules
> -----------------------------------------------------
>
> Key: HADOOP-16023
> URL: https://issues.apache.org/jira/browse/HADOOP-16023
> Project: Hadoop Common
> Issue Type: Improvement
> Reporter: Bolke de Bruin
> Assignee: Bolke de Bruin
> Priority: Major
> Labels: security
>
> Hadoop has long maintained its own configuration for Kerberos' auth_to_local
> rules. To the user this is counter intuitive and increases the complexity of
> maintaining a secure system as the normal way of configuring these
> auth_to_local rules is done in the site wide krb5.conf usually /etc/krb5.conf.
> With HADOOP-15996 there is now support for configuring how Hadoop should
> evaluate auth_to_local rules. A "system" mechanism should be added.
> It should be investigated how to properly parse krb5.conf. JDK seems to be
> lacking as it is unable to obtain auth_to_local rules due to a bug in its
> parser. Apache Kerby has an implementation that could be used. A native (C)
> version is also a possibility.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
