[
https://issues.apache.org/jira/browse/HADOOP-11683?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14351116#comment-14351116
]
Kai Zheng commented on HADOOP-11683:
------------------------------------
bq.we already have user-code running in the NN now
{{UserGroupsMappingProvider}} pluggable interface is a good example, which even
allows to query external LDAP server to perform user->groups mapping. We might
borrow similar idea from it for this.
To allow such an interface for the mapping would also allow to implement the
translation rules in modular approach, even not by user code.
I understand the NameNode concern, yes it's possible to involve overhead for NN
if user provided plugin performs the mapping not fast every time. To alleviate
the pain, we could consider to support cache of the mapping results in the
framework.
> Need a plugin API to translate long principal names to local OS user names
> arbitrarily
> --------------------------------------------------------------------------------------
>
> Key: HADOOP-11683
> URL: https://issues.apache.org/jira/browse/HADOOP-11683
> Project: Hadoop Common
> Issue Type: Improvement
> Components: security
> Reporter: Sunny Cheung
>
> We need a plugin API to translate long principal names (e.g.
> [email protected]) to local OS user names (e.g. user123456) arbitrarily.
> For some organizations the name translation is straightforward (e.g.
> [email protected] to john_doe), and the hadoop.security.auth_to_local
> configurable mapping is sufficient to resolve this (see HADOOP-6526).
> However, in some other cases the name translation is arbitrary and cannot be
> generalized by a set of translation rules easily.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
