[jira] [Commented] (HADOOP-16023) Support system /etc/krb5.conf for auth_to_local rules

[Eric Yang (JIRA)]

    [ 
https://issues.apache.org/jira/browse/HADOOP-16023?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16811960#comment-16811960
 ] 

Eric Yang commented on HADOOP-16023:
------------------------------------

[~bolke] Hadoop only supports lower case username, therefore, MIT kerberos 
auth_to_local will not work fully when there is capital letters in the 
principal.  I think bridging Hadoop rule and MIT Kerberos rules is a dicey 
proposition.  I would prefer to keep them separated, and let Admin handle this 
in their user database management to reduce unexpected behavior.  Majority of 
the use cases are covered in the following 2 options:

1. Microsoft AD and Hadoop both opt in for using case insensitive username.  If 
FreeIPA is used in the middle to bridge AD and Hadoop, then there is no 
friction by parsing multi-realms auth_to_local from krb5.conf.  
2. If user created their own FreeIPA server (single realm) with capitalized 
usernames but they would like to map to lower case characters, they can use 
existing Hadoop rules.

The clear distinction may help admin to decide which option to use.  Thought?

Can you also review HADOOP-16214?  Your review will be helpful.  Thanks

> Support system /etc/krb5.conf for auth_to_local rules
> -----------------------------------------------------
>
>                 Key: HADOOP-16023
>                 URL: https://issues.apache.org/jira/browse/HADOOP-16023
>             Project: Hadoop Common
>          Issue Type: Improvement
>            Reporter: Bolke de Bruin
>            Assignee: Bolke de Bruin
>            Priority: Major
>              Labels: security
>
> Hadoop has long maintained its own configuration for Kerberos' auth_to_local 
> rules. To the user this is counter intuitive and increases the complexity of 
> maintaining a secure system as the normal way of configuring these 
> auth_to_local rules is done in the site wide krb5.conf usually /etc/krb5.conf.
> With HADOOP-15996 there is now support for configuring how Hadoop should 
> evaluate auth_to_local rules. A "system" mechanism should be added. 
> It should be investigated how to properly parse krb5.conf. JDK seems to be 
> lacking as it is unable to obtain auth_to_local rules due to a bug in its 
> parser. Apache Kerby has an implementation that could be used. A native (C) 
> version is also a possibility. 



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

---------------------------------------------------------------------
To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: common-issues-h...@hadoop.apache.org