[
https://issues.apache.org/jira/browse/KNOX-1765?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16772402#comment-16772402
]
Ruslan Dautkhanov commented on KNOX-1765:
-----------------------------------------
also pasting my findings I shared in Livy user list and in LIVY-548
{panel}
Hadoop code has an explicit check - if realm is empty, auth_to_local rules are
not applied
[https://github.com/apache/hadoop/blob/release-2.7.1/hadoop-common-project/hadoop-auth/src/main/java/org/apache/hadoop/security/authentication/util/KerberosName.java#L376]
rules application starts down below on line 383
so it never reaches rules transformations loop if realm is empty.
We can argue that this is might be a Hadoop bug, as Kerberos C library
states empty realm is possible
[https://github.com/krb5/krb5/blob/krb5-1.17-final/src/lib/krb5/os/localauth_rule.c#L38]
Although in the same place it says it's can be dangerous -
{quote}which can be *dangerous in multi-realm environments*, but is our
historical behavior{quote}
So we can now say that "bug" is actually a security feature and Hadoop's
auth_to_local
implementation left this "historical behavior" out for a good reason.
I think the only way to enable auth_to_local for proxy authentication like in
Livy case
is to have a config setting in Livy to append a realm, like explained in
https://issues.apache.org/jira/browse/LIVY-548
Thank you,
Ruslan
{panel}
> option to append @realm to usernames
> ------------------------------------
>
> Key: KNOX-1765
> URL: https://issues.apache.org/jira/browse/KNOX-1765
> Project: Apache Knox
> Issue Type: Improvement
> Components: Server
> Affects Versions: 1.1.0, 1.2.0
> Reporter: Ruslan Dautkhanov
> Priority: Critical
>
> We'd like Hadoop to map user names to short names.
>
> For auth_to_local to work, @realm part is mandatory.
>
> For example, Apache Knox if authenticates users using LDAP,
> and then sends requests over to Livy, doesn't append realm.
>
> It seems we could duplicate rules from Hadoop's auth_to_local
> using `livy.server.auth.kerberos.name_rules` but it doesn't work
> for the same reason on Livy side.
> Spin-off from https://issues.apache.org/jira/browse/LIVY-548
> as it seems Knox is the right place for this fix (as other endpoints like
> HDFS, Hive access would need similar mappings).
> Hadoop code says opposite - there is an explicit check - if
> realm is empty, auth_to_local rules are not applied
>
> [https://github.com/apache/hadoop/blob/release-2.7.1/hadoop-common-project/hadoop-auth/src/main/java/org/apache/hadoop/security/authentication/util/KerberosName.java#L376]
>
> rules application starts down below on line 383
>
> so it never reaches rules transformations loop if realm is empty.
>
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
