[ https://issues.apache.org/jira/browse/KNOX-1765?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16772375#comment-16772375 ]
Kevin Risden commented on KNOX-1765: ------------------------------------ [~Tagar] - Please email the Knox user mailing list to see if this is something other users have run across. [https://knox.apache.org/mailing-lists.html] I have never seen this be a requirement across a lot of different environments. > option to append @realm to usernames > ------------------------------------ > > Key: KNOX-1765 > URL: https://issues.apache.org/jira/browse/KNOX-1765 > Project: Apache Knox > Issue Type: Improvement > Components: Server > Affects Versions: 1.1.0, 1.2.0 > Reporter: Ruslan Dautkhanov > Priority: Critical > > We'd like Hadoop to map user names to short names. > > For auth_to_local to work, @realm part is mandatory. > > For example, Apache Knox if authenticates users using LDAP, > and then sends requests over to Livy, doesn't append realm. > > It seems we could duplicate rules from Hadoop's auth_to_local > using `livy.server.auth.kerberos.name_rules` but it doesn't work > for the same reason on Livy side. > Spin-off from https://issues.apache.org/jira/browse/LIVY-548 > as it seems Knox is the right place for this fix (as other endpoints like > HDFS, Hive access would need similar mappings). > Hadoop code says opposite - there is an explicit check - if > realm is empty, auth_to_local rules are not applied > > [https://github.com/apache/hadoop/blob/release-2.7.1/hadoop-common-project/hadoop-auth/src/main/java/org/apache/hadoop/security/authentication/util/KerberosName.java#L376] > > rules application starts down below on line 383 > > so it never reaches rules transformations loop if realm is empty. > -- This message was sent by Atlassian JIRA (v7.6.3#76005)