[
https://issues.apache.org/jira/browse/HADOOP-18573?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Steve Loughran updated HADOOP-18573:
------------------------------------
Description:
The kerberos RFC does not declare any restriction on
characters used in kerberos names, though
implementations MAY be more restrictive.
If the kerberos controller supports use non-conventional
user names *and the kerberos admin chooses to use them*
this can confuse some of the parsing.
The obvious solution is for the enterprise admins to "not do that"
as a lot of things break, bits of hadoop included.
Harden the hadoop code slightly so at least we fail more gracefully,
so people can then get in touch with their sysadmin and tell them
to stop it.
Note: given the kerberos admin is implicitly a superuser, being
able to create malformed principal names.
doesn't give them any privileges, just offers a different way
to stop the cluster working.
was:
The kerberos RFC does not declare any restriction on
characters used in kerberos names, though
implementations MAY be more restrictive.
If the kerberos controller supports use non-conventional
user names *and the kerberos admin chooses to use them*
this can confuse some of the parsing.
The obvious solution is for the enterprise admins to "not do that"
as a lot of things break, bits of hadoop included.
Harden the hadoop code slightly so at least we fail more gracefully,
so people can then get in touch with their sysadmin and tell them
to stop it.
Note: given the kerberos admin is implicitly a superuser being able to
doesn't give them any privileges, just offers a different way
to stop the cluster working.
> Improve error reporting on non-standard kerberos names
> ------------------------------------------------------
>
> Key: HADOOP-18573
> URL: https://issues.apache.org/jira/browse/HADOOP-18573
> Project: Hadoop Common
> Issue Type: Improvement
> Components: security
> Affects Versions: 3.3.4
> Reporter: Steve Loughran
> Assignee: Steve Loughran
> Priority: Blocker
> Labels: pull-request-available
>
> The kerberos RFC does not declare any restriction on
> characters used in kerberos names, though
> implementations MAY be more restrictive.
> If the kerberos controller supports use non-conventional
> user names *and the kerberos admin chooses to use them*
> this can confuse some of the parsing.
> The obvious solution is for the enterprise admins to "not do that"
> as a lot of things break, bits of hadoop included.
> Harden the hadoop code slightly so at least we fail more gracefully,
> so people can then get in touch with their sysadmin and tell them
> to stop it.
> Note: given the kerberos admin is implicitly a superuser, being
> able to create malformed principal names.
> doesn't give them any privileges, just offers a different way
> to stop the cluster working.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
