[jira] [Commented] (HADOOP-16023) Support system /etc/krb5.conf for auth_to_local rules

Mon, 08 Apr 2019 08:15:22 -0700 


    [ 
https://issues.apache.org/jira/browse/HADOOP-16023?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16812494#comment-16812494
 ] 

Daryn Sharp commented on HADOOP-16023:
--------------------------------------

{quote}It would really help if you can explain a use case when you would want 
to have two different remaps for the same realm?{quote}
Our krb5.conf auth_to_local rules never match the hadoop rules.  The re-writes 
of principals that apply to the hdfs namespace or yarn service users are 
orthogonal to the system's users.  

{quote}supporting multiple realms as per your example is I think a new 
mechanism, as both current mechanisms do not allow for that. So it would 
require a "system" mechanism support.{quote}
It's not new.  We have always used multiple realms in multiple environments.



> Support system /etc/krb5.conf for auth_to_local rules
> -----------------------------------------------------
>
>                 Key: HADOOP-16023
>                 URL: https://issues.apache.org/jira/browse/HADOOP-16023
>             Project: Hadoop Common
>          Issue Type: Improvement
>            Reporter: Bolke de Bruin
>            Assignee: Bolke de Bruin
>            Priority: Major
>              Labels: security
>
> Hadoop has long maintained its own configuration for Kerberos' auth_to_local 
> rules. To the user this is counter intuitive and increases the complexity of 
> maintaining a secure system as the normal way of configuring these 
> auth_to_local rules is done in the site wide krb5.conf usually /etc/krb5.conf.
> With HADOOP-15996 there is now support for configuring how Hadoop should 
> evaluate auth_to_local rules. A "system" mechanism should be added. 
> It should be investigated how to properly parse krb5.conf. JDK seems to be 
> lacking as it is unable to obtain auth_to_local rules due to a bug in its 
> parser. Apache Kerby has an implementation that could be used. A native (C) 
> version is also a possibility. 



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to