[jira] [Commented] (LIVY-548) option to append @realm to usernames

Tue, 19 Feb 2019 14:40:09 -0800 


    [ 
https://issues.apache.org/jira/browse/LIVY-548?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16772393#comment-16772393
 ] 

Ruslan Dautkhanov commented on LIVY-548:
----------------------------------------

pasting here my response in the user mail list that you may have missed
 
 
{panel}
Hadoop code has an explicit check - if realm is empty, auth_to_local rules are 
not applied
 
[https://github.com/apache/hadoop/blob/release-2.7.1/hadoop-common-project/hadoop-auth/src/main/java/org/apache/hadoop/security/authentication/util/KerberosName.java#L376]
 
rules application starts down below on line 383
 
so it never reaches rules transformations loop if realm is empty. 
 
We can argue that this is might be a Hadoop bug, as Kerberos C library 
states empty realm is possible
 
[https://github.com/krb5/krb5/blob/krb5-1.17-final/src/lib/krb5/os/localauth_rule.c#L38]
 
Although in the same place it says it's can be dangerous - 
 
{quote}which can be *dangerous in multi-realm environments*, but is our 
historical behavior{quote}
 
So we can now say that "bug" is actually a security feature and Hadoop's 
auth_to_local
implementation left this "historical behavior" out for a good reason.
 
I think the only way to enable auth_to_local for proxy authentication like in 
Livy case
is to have a config setting in Livy to append a realm, like explained in
https://issues.apache.org/jira/browse/LIVY-548   

 

Thank you,
Ruslan 
 
{panel}
 
 

> option to append @realm to usernames
> ------------------------------------
>
>                 Key: LIVY-548
>                 URL: https://issues.apache.org/jira/browse/LIVY-548
>             Project: Livy
>          Issue Type: Improvement
>    Affects Versions: 0.5.0, 0.6.0
>            Reporter: Ruslan Dautkhanov
>            Priority: Critical
>
> We'd like Hadoop to map user names to short names. 
>  
> For auth_to_local to work, @realm part is mandatory. 
>  
> For example, Apache Knox if authenticates users using LDAP, 
> and then sends requests over to Livy, doesn't append realm. 
>  
> Is there is a way for append realm in Livy, before it sends 
> those requests over to Spark / Hadoop? 
>  
> It seems we could duplicate rules from Hadoop's auth_to_local
> using `livy.server.auth.kerberos.name_rules` but it doesn't work
> for the same reason.
>  
>  



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

Reply via email to