[jira] [Commented] (HADOOP-16023) Support system /etc/krb5.conf for auth_to_local rules

Mon, 08 Apr 2019 09:51:45 -0700 


    [ 
https://issues.apache.org/jira/browse/HADOOP-16023?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16812596#comment-16812596
 ] 

Eric Yang commented on HADOOP-16023:
------------------------------------

{quote}Our krb5.conf auth_to_local rules never match the hadoop rules. The 
re-writes of principals that apply to the hdfs namespace or yarn service users 
are orthogonal to the system's users.{quote}

Do you configure container-executor for your Hadoop jobs?  If you do, and 
system auth_to_local is different from Hadoop's auth_to_local, you can have 
username conflicts in the system level.  Whether this is on purpose or not, it 
depends on your environment.  The options are not being taken away as long as 
we don't bridge system and Hadoop rules to hide the unique behavior that Hadoop 
rules can convert upper case username to lower case.

> Support system /etc/krb5.conf for auth_to_local rules
> -----------------------------------------------------
>
>                 Key: HADOOP-16023
>                 URL: https://issues.apache.org/jira/browse/HADOOP-16023
>             Project: Hadoop Common
>          Issue Type: Improvement
>            Reporter: Bolke de Bruin
>            Assignee: Bolke de Bruin
>            Priority: Major
>              Labels: security
>
> Hadoop has long maintained its own configuration for Kerberos' auth_to_local 
> rules. To the user this is counter intuitive and increases the complexity of 
> maintaining a secure system as the normal way of configuring these 
> auth_to_local rules is done in the site wide krb5.conf usually /etc/krb5.conf.
> With HADOOP-15996 there is now support for configuring how Hadoop should 
> evaluate auth_to_local rules. A "system" mechanism should be added. 
> It should be investigated how to properly parse krb5.conf. JDK seems to be 
> lacking as it is unable to obtain auth_to_local rules due to a bug in its 
> parser. Apache Kerby has an implementation that could be used. A native (C) 
> version is also a possibility. 



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to