Kerberos principal to user mapping / authorization
--------------------------------------------------
Key: ZOOKEEPER-1420
URL: https://issues.apache.org/jira/browse/ZOOKEEPER-1420
Project: ZooKeeper
Issue Type: Improvement
Components: server
Affects Versions: 3.4.0
Reporter: Thomas Weise
ZOOKEEPER-938 introduces server configuration options to perform a rudimentary
mapping from Kerberos principal to user name:
kerberos.removeHostFromPrincipal
kerberos.removeRealmFromPrincipal
Those are sufficient to make things work for HBase and other server clusters
where we cannot include the host name portion into the znode ACL, but it would
be better to support a more standard approach to perform the mapping with finer
grained control (i.e. do this only for specific matching principals).
Mapping in Hadoop:
https://ccp.cloudera.com/display/CDHDOC/Appendix+C+-+Configuring+the+Mapping+from+Kerberos+Principals+to+Short+Names
As an alternative, a matching option at the time of ACL check that can be
controlled by the process assigning ACLs to znodes could also serve the
purpose. For example, principals:
user/[email protected]
user/[email protected]
would have access to a znode with ACL set as:
sasl:user/host*@TEST.DOMAIN:cdrwa
This would not require ZK server configuration, but add more runtime overhead.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators:
https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
