[
https://issues.apache.org/jira/browse/KNOX-1765?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16772433#comment-16772433
]
Larry McCay commented on KNOX-1765:
-----------------------------------
I don't believe this is something that we can/should do.
Hadoop auth_to_local rules are distinct from those for C/kerberos and have
never been part of the doas/impersonation model used by trusted proxies in
Hadoop.
Just for some more clarity, you are talking about adding an @realm to the doAs
user? Such that the realm would be the kerberos realm for the Knox instance in
a secure deployment.
If that is the case, that seems like a pretty unnatural representation of the
user principal considering that one of the primary reasons to use impersonation
is to not use kerberos and the user may not be in the kerberos realm/KDC.
Moreover, there are a number of applications/components across the Hadoop
ecosystem that implement doas/impersonation on their own and there will not be
consistent support for this change in principal propagation.
This seems like a non-starter to me.
> option to append @realm to usernames
> ------------------------------------
>
> Key: KNOX-1765
> URL: https://issues.apache.org/jira/browse/KNOX-1765
> Project: Apache Knox
> Issue Type: Improvement
> Components: Server
> Affects Versions: 1.1.0, 1.2.0
> Reporter: Ruslan Dautkhanov
> Priority: Critical
>
> We'd like Hadoop to map user names to short names.
>
> For auth_to_local to work, @realm part is mandatory.
>
> For example, Apache Knox if authenticates users using LDAP,
> and then sends requests over to Livy, doesn't append realm.
>
> It seems we could duplicate rules from Hadoop's auth_to_local
> using `livy.server.auth.kerberos.name_rules` but it doesn't work
> for the same reason on Livy side.
> Spin-off from https://issues.apache.org/jira/browse/LIVY-548
> as it seems Knox is the right place for this fix (as other endpoints like
> HDFS, Hive access would need similar mappings).
> Hadoop code says opposite - there is an explicit check - if
> realm is empty, auth_to_local rules are not applied
>
> [https://github.com/apache/hadoop/blob/release-2.7.1/hadoop-common-project/hadoop-auth/src/main/java/org/apache/hadoop/security/authentication/util/KerberosName.java#L376]
>
> rules application starts down below on line 383
>
> so it never reaches rules transformations loop if realm is empty.
>
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
