[
https://issues.apache.org/jira/browse/KNOX-1765?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16772375#comment-16772375
]
Kevin Risden commented on KNOX-1765:
------------------------------------
[~Tagar] - Please email the Knox user mailing list to see if this is something
other users have run across. [https://knox.apache.org/mailing-lists.html]
I have never seen this be a requirement across a lot of different environments.
> option to append @realm to usernames
> ------------------------------------
>
> Key: KNOX-1765
> URL: https://issues.apache.org/jira/browse/KNOX-1765
> Project: Apache Knox
> Issue Type: Improvement
> Components: Server
> Affects Versions: 1.1.0, 1.2.0
> Reporter: Ruslan Dautkhanov
> Priority: Critical
>
> We'd like Hadoop to map user names to short names.
>
> For auth_to_local to work, @realm part is mandatory.
>
> For example, Apache Knox if authenticates users using LDAP,
> and then sends requests over to Livy, doesn't append realm.
>
> It seems we could duplicate rules from Hadoop's auth_to_local
> using `livy.server.auth.kerberos.name_rules` but it doesn't work
> for the same reason on Livy side.
> Spin-off from https://issues.apache.org/jira/browse/LIVY-548
> as it seems Knox is the right place for this fix (as other endpoints like
> HDFS, Hive access would need similar mappings).
> Hadoop code says opposite - there is an explicit check - if
> realm is empty, auth_to_local rules are not applied
>
> [https://github.com/apache/hadoop/blob/release-2.7.1/hadoop-common-project/hadoop-auth/src/main/java/org/apache/hadoop/security/authentication/util/KerberosName.java#L376]
>
> rules application starts down below on line 383
>
> so it never reaches rules transformations loop if realm is empty.
>
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
