[jira] [Commented] (KNOX-1765) option to append @realm to usernames

Tue, 19 Feb 2019 14:40:18 -0800 


    [ 
https://issues.apache.org/jira/browse/KNOX-1765?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16772396#comment-16772396
 ] 

Ruslan Dautkhanov commented on KNOX-1765:
-----------------------------------------

Thanks Kevin.

Sure, I will post it in Knox user email list. 

Although I am pretty sure there is no workaround for this unfortunatally.

This has also been discussed IBM developers of their Data Science Experience 
product 
that we're using. DSX has Knox bundled in. That's where we're running this 
issue into .. 
This is internal IBM issue for this - 
[https://github.ibm.com/PrivateCloud/dsx-integration/issues/1381] 

IBM Support nor Development teams don't have a good solution for this.

Cloudera support doesn't ship / support Knox so we're on our own for this issue 
and that's why I 
opened this issue.

[~jesus.alv] from IBM can probably chime in here too.

 

> option to append @realm to usernames
> ------------------------------------
>
>                 Key: KNOX-1765
>                 URL: https://issues.apache.org/jira/browse/KNOX-1765
>             Project: Apache Knox
>          Issue Type: Improvement
>          Components: Server
>    Affects Versions: 1.1.0, 1.2.0
>            Reporter: Ruslan Dautkhanov
>            Priority: Critical
>
> We'd like Hadoop to map user names to short names. 
>  
> For auth_to_local to work, @realm part is mandatory. 
>  
> For example, Apache Knox if authenticates users using LDAP, 
> and then sends requests over to Livy, doesn't append realm. 
>  
> It seems we could duplicate rules from Hadoop's auth_to_local
> using `livy.server.auth.kerberos.name_rules` but it doesn't work
> for the same reason on Livy side.
> Spin-off from https://issues.apache.org/jira/browse/LIVY-548
> as it seems Knox is the right place for this fix (as other endpoints like 
> HDFS, Hive access would need similar mappings).
> Hadoop code says opposite - there is an explicit check - if 
> realm is empty, auth_to_local rules are not applied
>  
> [https://github.com/apache/hadoop/blob/release-2.7.1/hadoop-common-project/hadoop-auth/src/main/java/org/apache/hadoop/security/authentication/util/KerberosName.java#L376]
>  
> rules application starts down below on line 383
>  
> so it never reaches rules transformations loop if realm is empty. 
>  



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

Reply via email to