[jira] [Commented] (HADOOP-14229) hadoop.security.auth_to_local example is incorrect in the documentation
[ https://issues.apache.org/jira/browse/HADOOP-14229?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16261851#comment-16261851 ] Bharat Viswanadham commented on HADOOP-14229: - Can this jira be backported to branch-2 also, as the same issue exists in 2.x releases also. > hadoop.security.auth_to_local example is incorrect in the documentation > --- > > Key: HADOOP-14229 > URL: https://issues.apache.org/jira/browse/HADOOP-14229 > Project: Hadoop Common > Issue Type: Bug >Reporter: Andras Bokor >Assignee: Andras Bokor > Fix For: 3.0.0-beta1 > > Attachments: HADOOP-14229.01.patch, HADOOP-14229.02.patch, > HADOOP-14229.03.patch > > > Let's see jhs as example: > {code}RULE:[2:$1@$0](jhs/.*@.*REALM.TLD)s/.*/mapred/{code} > That means principal has 2 components (jhs/myhost@REALM). > The second column converts this to jhs@REALM. So the regex will not match on > this since regex expects / in the principal. > My suggestion is > {code}RULE:[2:$1](jhs)s/.*/mapred/{code} > https://hadoop.apache.org/docs/current/hadoop-project-dist/hadoop-common/SecureMode.html -- This message was sent by Atlassian JIRA (v6.4.14#64029) - To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org For additional commands, e-mail: common-issues-h...@hadoop.apache.org
[jira] [Commented] (HADOOP-14229) hadoop.security.auth_to_local example is incorrect in the documentation
[ https://issues.apache.org/jira/browse/HADOOP-14229?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16105535#comment-16105535 ] Andras Bokor commented on HADOOP-14229: --- Thanks [~raviprak]! > hadoop.security.auth_to_local example is incorrect in the documentation > --- > > Key: HADOOP-14229 > URL: https://issues.apache.org/jira/browse/HADOOP-14229 > Project: Hadoop Common > Issue Type: Bug >Reporter: Andras Bokor >Assignee: Andras Bokor > Fix For: 3.0.0-beta1 > > Attachments: HADOOP-14229.01.patch, HADOOP-14229.02.patch, > HADOOP-14229.03.patch > > > Let's see jhs as example: > {code}RULE:[2:$1@$0](jhs/.*@.*REALM.TLD)s/.*/mapred/{code} > That means principal has 2 components (jhs/myhost@REALM). > The second column converts this to jhs@REALM. So the regex will not match on > this since regex expects / in the principal. > My suggestion is > {code}RULE:[2:$1](jhs)s/.*/mapred/{code} > https://hadoop.apache.org/docs/current/hadoop-project-dist/hadoop-common/SecureMode.html -- This message was sent by Atlassian JIRA (v6.4.14#64029) - To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org For additional commands, e-mail: common-issues-h...@hadoop.apache.org
[jira] [Commented] (HADOOP-14229) hadoop.security.auth_to_local example is incorrect in the documentation
[ https://issues.apache.org/jira/browse/HADOOP-14229?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16105522#comment-16105522 ] Hudson commented on HADOOP-14229: - SUCCESS: Integrated in Jenkins build Hadoop-trunk-Commit #12070 (See [https://builds.apache.org/job/Hadoop-trunk-Commit/12070/]) HADOOP-14229. hadoop.security.auth_to_local example is incorrect in the (raviprak: rev 746189ad8cdf90ab35baec9364b2e02956a1e70c) * (edit) hadoop-common-project/hadoop-common/src/site/markdown/SecureMode.md > hadoop.security.auth_to_local example is incorrect in the documentation > --- > > Key: HADOOP-14229 > URL: https://issues.apache.org/jira/browse/HADOOP-14229 > Project: Hadoop Common > Issue Type: Bug >Reporter: Andras Bokor >Assignee: Andras Bokor > Fix For: 3.0.0-beta1 > > Attachments: HADOOP-14229.01.patch, HADOOP-14229.02.patch, > HADOOP-14229.03.patch > > > Let's see jhs as example: > {code}RULE:[2:$1@$0](jhs/.*@.*REALM.TLD)s/.*/mapred/{code} > That means principal has 2 components (jhs/myhost@REALM). > The second column converts this to jhs@REALM. So the regex will not match on > this since regex expects / in the principal. > My suggestion is > {code}RULE:[2:$1](jhs)s/.*/mapred/{code} > https://hadoop.apache.org/docs/current/hadoop-project-dist/hadoop-common/SecureMode.html -- This message was sent by Atlassian JIRA (v6.4.14#64029) - To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org For additional commands, e-mail: common-issues-h...@hadoop.apache.org
[jira] [Commented] (HADOOP-14229) hadoop.security.auth_to_local example is incorrect in the documentation
[ https://issues.apache.org/jira/browse/HADOOP-14229?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16105477#comment-16105477 ] Ravi Prakash commented on HADOOP-14229: --- Looks good to me. +1. Committing shortly. Thank you for the contribution Andras! > hadoop.security.auth_to_local example is incorrect in the documentation > --- > > Key: HADOOP-14229 > URL: https://issues.apache.org/jira/browse/HADOOP-14229 > Project: Hadoop Common > Issue Type: Bug >Reporter: Andras Bokor >Assignee: Andras Bokor > Attachments: HADOOP-14229.01.patch, HADOOP-14229.02.patch, > HADOOP-14229.03.patch > > > Let's see jhs as example: > {code}RULE:[2:$1@$0](jhs/.*@.*REALM.TLD)s/.*/mapred/{code} > That means principal has 2 components (jhs/myhost@REALM). > The second column converts this to jhs@REALM. So the regex will not match on > this since regex expects / in the principal. > My suggestion is > {code}RULE:[2:$1](jhs)s/.*/mapred/{code} > https://hadoop.apache.org/docs/current/hadoop-project-dist/hadoop-common/SecureMode.html -- This message was sent by Atlassian JIRA (v6.4.14#64029) - To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org For additional commands, e-mail: common-issues-h...@hadoop.apache.org
[jira] [Commented] (HADOOP-14229) hadoop.security.auth_to_local example is incorrect in the documentation
[ https://issues.apache.org/jira/browse/HADOOP-14229?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15998849#comment-15998849 ] Hadoop QA commented on HADOOP-14229: | (/) *{color:green}+1 overall{color}* | \\ \\ || Vote || Subsystem || Runtime || Comment || | {color:blue}0{color} | {color:blue} reexec {color} | {color:blue} 0m 11s{color} | {color:blue} Docker mode activated. {color} | | {color:green}+1{color} | {color:green} @author {color} | {color:green} 0m 0s{color} | {color:green} The patch does not contain any @author tags. {color} | | {color:green}+1{color} | {color:green} mvninstall {color} | {color:green} 13m 12s{color} | {color:green} trunk passed {color} | | {color:green}+1{color} | {color:green} mvnsite {color} | {color:green} 1m 18s{color} | {color:green} trunk passed {color} | | {color:green}+1{color} | {color:green} mvnsite {color} | {color:green} 0m 50s{color} | {color:green} the patch passed {color} | | {color:green}+1{color} | {color:green} whitespace {color} | {color:green} 0m 0s{color} | {color:green} The patch has no whitespace issues. {color} | | {color:green}+1{color} | {color:green} asflicense {color} | {color:green} 0m 14s{color} | {color:green} The patch does not generate ASF License warnings. {color} | | {color:black}{color} | {color:black} {color} | {color:black} 16m 7s{color} | {color:black} {color} | \\ \\ || Subsystem || Report/Notes || | Docker | Image:yetus/hadoop:14b5c93 | | JIRA Issue | HADOOP-14229 | | JIRA Patch URL | https://issues.apache.org/jira/secure/attachment/1281/HADOOP-14229.03.patch | | Optional Tests | asflicense mvnsite | | uname | Linux 80ec0aec2f3b 4.4.0-43-generic #63-Ubuntu SMP Wed Oct 12 13:48:03 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux | | Build tool | maven | | Personality | /testptch/hadoop/patchprocess/precommit/personality/provided.sh | | git revision | trunk / e4f34ec | | modules | C: hadoop-common-project/hadoop-common U: hadoop-common-project/hadoop-common | | Console output | https://builds.apache.org/job/PreCommit-HADOOP-Build/12251/console | | Powered by | Apache Yetus 0.5.0-SNAPSHOT http://yetus.apache.org | This message was automatically generated. > hadoop.security.auth_to_local example is incorrect in the documentation > --- > > Key: HADOOP-14229 > URL: https://issues.apache.org/jira/browse/HADOOP-14229 > Project: Hadoop Common > Issue Type: Bug >Reporter: Andras Bokor >Assignee: Andras Bokor > Attachments: HADOOP-14229.01.patch, HADOOP-14229.02.patch, > HADOOP-14229.03.patch > > > Let's see jhs as example: > {code}RULE:[2:$1@$0](jhs/.*@.*REALM.TLD)s/.*/mapred/{code} > That means principal has 2 components (jhs/myhost@REALM). > The second column converts this to jhs@REALM. So the regex will not match on > this since regex expects / in the principal. > My suggestion is > {code}RULE:[2:$1](jhs)s/.*/mapred/{code} > https://hadoop.apache.org/docs/current/hadoop-project-dist/hadoop-common/SecureMode.html -- This message was sent by Atlassian JIRA (v6.3.15#6346) - To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org For additional commands, e-mail: common-issues-h...@hadoop.apache.org
[jira] [Commented] (HADOOP-14229) hadoop.security.auth_to_local example is incorrect in the documentation
[ https://issues.apache.org/jira/browse/HADOOP-14229?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15981381#comment-15981381 ] Allen Wittenauer commented on HADOOP-14229: --- I'm going to +1 with the caveat that this makes the docs a little more clear, but doesn't really solve a key problem: {code} $ bin/hadoop kerbname nn/host2.dom...@realm.tld Name: nn/host2.dom...@realm.tld to hdfs {code} This is sort of hinted at in the docs: {code} The default rule maps the principal host/full.qualified.domain.n...@realm.tld to system user host. The default rule will not be appropriate for most clusters. {code} It then goes on to provide the example rule which doesn't actually fix that warning and all clusters still have super user access on every other cluster in the same realm. At which point it becomes clear the documentation is mostly an exercise in obfuscation. You're better off just using hdfs/, yarn/, etc for daemons and avoid all this mapping baloney anyway (which is what most people that I know of do). > hadoop.security.auth_to_local example is incorrect in the documentation > --- > > Key: HADOOP-14229 > URL: https://issues.apache.org/jira/browse/HADOOP-14229 > Project: Hadoop Common > Issue Type: Bug >Reporter: Andras Bokor >Assignee: Andras Bokor > Attachments: HADOOP-14229.01.patch, HADOOP-14229.02.patch > > > Let's see jhs as example: > {code}RULE:[2:$1@$0](jhs/.*@.*REALM.TLD)s/.*/mapred/{code} > That means principal has 2 components (jhs/myhost@REALM). > The second column converts this to jhs@REALM. So the regex will not match on > this since regex expects / in the principal. > My suggestion is > {code}RULE:[2:$1](jhs)s/.*/mapred/{code} > https://hadoop.apache.org/docs/current/hadoop-project-dist/hadoop-common/SecureMode.html -- This message was sent by Atlassian JIRA (v6.3.15#6346) - To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org For additional commands, e-mail: common-issues-h...@hadoop.apache.org
[jira] [Commented] (HADOOP-14229) hadoop.security.auth_to_local example is incorrect in the documentation
[ https://issues.apache.org/jira/browse/HADOOP-14229?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15951544#comment-15951544 ] Hanisha Koneru commented on HADOOP-14229: - [~boky01], Verified that the current suggested settings for hadoop.security.auth_to_local in https://hadoop.apache.org/docs/current/hadoop-project-dist/hadoop-common/SecureMode.html do not perform the intended action. As you said, the command _hadoop kerbname jhs/host.domain@REALM.TLD_ gives the following result: bq. Name: jhs/host.dom...@realm.tld to jhs/host.dom...@realm.tld whereas, the intended result is: bq. Name: jhs/host.dom...@realm.tld to mapred The patch LGTM. > hadoop.security.auth_to_local example is incorrect in the documentation > --- > > Key: HADOOP-14229 > URL: https://issues.apache.org/jira/browse/HADOOP-14229 > Project: Hadoop Common > Issue Type: Bug >Reporter: Andras Bokor >Assignee: Andras Bokor >Priority: Trivial > Attachments: HADOOP-14229.01.patch, HADOOP-14229.02.patch > > > Let's see jhs as example: > {code}RULE:[2:$1@$0](jhs/.*@.*REALM.TLD)s/.*/mapred/{code} > That means principal has 2 components (jhs/myhost@REALM). > The second column converts this to jhs@REALM. So the regex will not match on > this since regex expects / in the principal. > My suggestion is > {code}RULE:[2:$1](jhs)s/.*/mapred/{code} > https://hadoop.apache.org/docs/current/hadoop-project-dist/hadoop-common/SecureMode.html -- This message was sent by Atlassian JIRA (v6.3.15#6346) - To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org For additional commands, e-mail: common-issues-h...@hadoop.apache.org
[jira] [Commented] (HADOOP-14229) hadoop.security.auth_to_local example is incorrect in the documentation
[ https://issues.apache.org/jira/browse/HADOOP-14229?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15940354#comment-15940354 ] Hadoop QA commented on HADOOP-14229: | (/) *{color:green}+1 overall{color}* | \\ \\ || Vote || Subsystem || Runtime || Comment || | {color:blue}0{color} | {color:blue} reexec {color} | {color:blue} 0m 15s{color} | {color:blue} Docker mode activated. {color} | | {color:green}+1{color} | {color:green} @author {color} | {color:green} 0m 0s{color} | {color:green} The patch does not contain any @author tags. {color} | | {color:green}+1{color} | {color:green} mvninstall {color} | {color:green} 13m 55s{color} | {color:green} trunk passed {color} | | {color:green}+1{color} | {color:green} mvnsite {color} | {color:green} 1m 6s{color} | {color:green} trunk passed {color} | | {color:green}+1{color} | {color:green} mvnsite {color} | {color:green} 1m 1s{color} | {color:green} the patch passed {color} | | {color:green}+1{color} | {color:green} whitespace {color} | {color:green} 0m 0s{color} | {color:green} The patch has no whitespace issues. {color} | | {color:green}+1{color} | {color:green} asflicense {color} | {color:green} 0m 19s{color} | {color:green} The patch does not generate ASF License warnings. {color} | | {color:black}{color} | {color:black} {color} | {color:black} 17m 0s{color} | {color:black} {color} | \\ \\ || Subsystem || Report/Notes || | Docker | Image:yetus/hadoop:a9ad5d6 | | JIRA Issue | HADOOP-14229 | | JIRA Patch URL | https://issues.apache.org/jira/secure/attachment/12860355/HADOOP-14229.01.patch | | Optional Tests | asflicense mvnsite | | uname | Linux cc418ca36696 3.13.0-108-generic #155-Ubuntu SMP Wed Jan 11 16:58:52 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux | | Build tool | maven | | Personality | /testptch/hadoop/patchprocess/precommit/personality/provided.sh | | git revision | trunk / ab759e9 | | modules | C: hadoop-common-project/hadoop-common U: hadoop-common-project/hadoop-common | | Console output | https://builds.apache.org/job/PreCommit-HADOOP-Build/11914/console | | Powered by | Apache Yetus 0.5.0-SNAPSHOT http://yetus.apache.org | This message was automatically generated. > hadoop.security.auth_to_local example is incorrect in the documentation > --- > > Key: HADOOP-14229 > URL: https://issues.apache.org/jira/browse/HADOOP-14229 > Project: Hadoop Common > Issue Type: Bug >Reporter: Andras Bokor >Assignee: Andras Bokor >Priority: Trivial > Attachments: HADOOP-14229.01.patch > > > Let's see jhs as example: > {code}RULE:[2:$1@$0](jhs/.*@.*REALM.TLD)s/.*/mapred/{code} > That means principal has 2 components (jhs/myhost@REALM). > The second column converts this to jhs@REALM. So the regex will not match on > this since regex expects / in the principal. > My suggestion is > {code}RULE:[2:$1](jhs)s/.*/mapred/{code} > https://hadoop.apache.org/docs/current/hadoop-project-dist/hadoop-common/SecureMode.html -- This message was sent by Atlassian JIRA (v6.3.15#6346) - To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org For additional commands, e-mail: common-issues-h...@hadoop.apache.org