[
https://issues.apache.org/jira/browse/HADOOP-11683?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14350066#comment-14350066
]
Sunny Cheung commented on HADOOP-11683:
---------------------------------------
Our problem is that normal user principal names can be very different from
their Unix login. Some customers simply have arbitrary mapping between their
Kerberos principals and Unix user accounts. For example, one customer has over
200K users on AD with Kerberos principals in format "<first name>.<last
name>@REALM" (e.g. [email protected]). But their Unix names are in format
"user<ID>" or just "<ID>" (e.g. user123456, 123456).
So, when Kerberos security is enabled on Hadoop clusters, how should we
configure to authenticate these users from Hadoop clients?
The current way is to use the hadoop.security.auth_to_local setting, e.g. from
core-site.xml:
<property>
<name>hadoop.security.auth_to_local</name>
<value>
RULE:[2:$1@$0]([jt]t@.*EXAMPLE.COM)s/.*/mapred/
RULE:[2:$1@$0]([nd]n@.*EXAMPLE.COM)s/.*/hdfs/
RULE:[2:$1@$0](hm@.*EXAMPLE.COM)s/.*/hbase/
RULE:[2:$1@$0](rs@.*EXAMPLE.COM)s/.*/hbase/
DEFAULT</value>
<description>The mapping from kerberos principal names
to local OS user names.</description> </property>
These name translation rules can handle cases like mapping service accounts'
principals (e.g. nn/<host>@REALM or dn/<host>@REALM to hdfs). But that is not
scalable for normal users. There are just too many users to handle (as compared
to the finite amount of service accounts).
Therefore, we would like to ask if alternative name resolution plugin interface
can be supported by Hadoop. It could be similar to the way alternative
authentication plugin is supported for HTTP web-consoles [1]:
<property>
<name>hadoop.http.authentication.type</name>
<value>org.my.subclass.of.AltKerberosAuthenticationHandler</value>
</property>
And the plugin interface can be as simple as this function (error handling
ignored here):
String auth_to_local (String krb5Principal) {
...
return unixName;
}
If this plugin interface is supported by Hadoop, then everyone can provide a
plugin to support arbitrary mapping. This will be extremely useful when
administrators need to tighten security on Hadoop with existing Kerberos
infrastructure.
References:
[1] Authentication for Hadoop HTTP web-consoles
http://hadoop.apache.org/docs/current/hadoop-project-dist/hadoop-common/HttpAuthentication.html
> Need a plugin API to translate long principal names to local OS user names
> arbitrarily
> --------------------------------------------------------------------------------------
>
> Key: HADOOP-11683
> URL: https://issues.apache.org/jira/browse/HADOOP-11683
> Project: Hadoop Common
> Issue Type: Improvement
> Components: security
> Reporter: Sunny Cheung
>
> We need a plugin API to translate long principal names (e.g.
> [email protected]) to local OS user names (e.g. user123456) arbitrarily.
> For some organizations the name translation is straightforward (e.g.
> [email protected] to john_doe), and the hadoop.security.auth_to_local
> configurable mapping is sufficient to resolve this (see HADOOP-6526).
> However, in some other cases the name translation is arbitrary and cannot be
> generalized by a set of translation rules easily.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
