[jira] [Commented] (KNOX-1765) option to append @realm to usernames
[ https://issues.apache.org/jira/browse/KNOX-1765?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16799166#comment-16799166 ] Ruslan Dautkhanov commented on KNOX-1765: - [~jesus.alv] helped to spot an unrelated problem that made it look like authentication was broken with this change. Thank you [~lmccay], [~krisden] and [~jesus.alv] !! > option to append @realm to usernames > > > Key: KNOX-1765 > URL: https://issues.apache.org/jira/browse/KNOX-1765 > Project: Apache Knox > Issue Type: Improvement > Components: Server >Affects Versions: 1.1.0, 1.2.0 >Reporter: Ruslan Dautkhanov >Assignee: Larry McCay >Priority: Critical > > We'd like Hadoop to map user names to short names. > > For auth_to_local to work, @realm part is mandatory. > > For example, Apache Knox if authenticates users using LDAP, > and then sends requests over to Livy, doesn't append realm. > > It seems we could duplicate rules from Hadoop's auth_to_local > using `livy.server.auth.kerberos.name_rules` but it doesn't work > for the same reason on Livy side. > Spin-off from https://issues.apache.org/jira/browse/LIVY-548 > as it seems Knox is the right place for this fix (as other endpoints like > HDFS, Hive access would need similar mappings). > Hadoop code says opposite - there is an explicit check - if > realm is empty, auth_to_local rules are not applied > > [https://github.com/apache/hadoop/blob/release-2.7.1/hadoop-common-project/hadoop-auth/src/main/java/org/apache/hadoop/security/authentication/util/KerberosName.java#L376] > > rules application starts down below on line 383 > > so it never reaches rules transformations loop if realm is empty. > -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Commented] (KNOX-1765) option to append @realm to usernames
[ https://issues.apache.org/jira/browse/KNOX-1765?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16795014#comment-16795014 ] Kevin Risden commented on KNOX-1765: What version of Livy is being used? You might want to take a look at https://issues.apache.org/jira/browse/LIVY-551 if Livy is the component you are having issues with. > option to append @realm to usernames > > > Key: KNOX-1765 > URL: https://issues.apache.org/jira/browse/KNOX-1765 > Project: Apache Knox > Issue Type: Improvement > Components: Server >Affects Versions: 1.1.0, 1.2.0 >Reporter: Ruslan Dautkhanov >Assignee: Larry McCay >Priority: Critical > > We'd like Hadoop to map user names to short names. > > For auth_to_local to work, @realm part is mandatory. > > For example, Apache Knox if authenticates users using LDAP, > and then sends requests over to Livy, doesn't append realm. > > It seems we could duplicate rules from Hadoop's auth_to_local > using `livy.server.auth.kerberos.name_rules` but it doesn't work > for the same reason on Livy side. > Spin-off from https://issues.apache.org/jira/browse/LIVY-548 > as it seems Knox is the right place for this fix (as other endpoints like > HDFS, Hive access would need similar mappings). > Hadoop code says opposite - there is an explicit check - if > realm is empty, auth_to_local rules are not applied > > [https://github.com/apache/hadoop/blob/release-2.7.1/hadoop-common-project/hadoop-auth/src/main/java/org/apache/hadoop/security/authentication/util/KerberosName.java#L376] > > rules application starts down below on line 383 > > so it never reaches rules transformations loop if realm is empty. > -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Commented] (KNOX-1765) option to append @realm to usernames
[
https://issues.apache.org/jira/browse/KNOX-1765?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16793914#comment-16793914
]
Jesus Alvarez commented on KNOX-1765:
-
Tried a few scenarios on Knox 1.1.0, fwiw a simple *Regex* identity-assertion
adds it properly:
{code:java}
identity-assertion
Regex
true
input
(.*)
output
{1}@FYRE.IBM.COM
{code}
{code:java}
# gateway-audit
19/03/15 11:58:19
||fdd83354-acf5-4664-bf49-f55719bd4858|audit|9.30.236.5|LIVYSERVER2|user1|us...@fyre.ibm.com||identity-mapping|principal|user1|success|Effective
User: us...@fyre.ibm.com
19/03/15 11:58:19
||fdd83354-acf5-4664-bf49-f55719bd4858|audit|9.30.236.5|LIVYSERVER2|user1|us...@fyre.ibm.com||dispatch|uri|http://myhost.livy:8999/sessions?doAs=us...@fyre.ibm.com|success|Response
status: 200
# livy-server.out
INFO InteractiveSession$: Creating Interactive session 501: [owner: dsxhi,
request: [kind: pyspark, proxyUser: Some(us...@fyre.ibm.com){code}
{{And the session is started properly, even though livy2/2019_03_15.request.log
shows the request as %40}}
{{172.16.11.67 - - [15/Mar/2019:19:09:38 +] "GET
/sessions/501?doAs=user1%40FYRE.IBM.COM HTTP/1.1" 200 -}}{{ }}
> option to append @realm to usernames
>
>
> Key: KNOX-1765
> URL: https://issues.apache.org/jira/browse/KNOX-1765
> Project: Apache Knox
> Issue Type: Improvement
> Components: Server
>Affects Versions: 1.1.0, 1.2.0
>Reporter: Ruslan Dautkhanov
>Assignee: Larry McCay
>Priority: Critical
>
> We'd like Hadoop to map user names to short names.
>
> For auth_to_local to work, @realm part is mandatory.
>
> For example, Apache Knox if authenticates users using LDAP,
> and then sends requests over to Livy, doesn't append realm.
>
> It seems we could duplicate rules from Hadoop's auth_to_local
> using `livy.server.auth.kerberos.name_rules` but it doesn't work
> for the same reason on Livy side.
> Spin-off from https://issues.apache.org/jira/browse/LIVY-548
> as it seems Knox is the right place for this fix (as other endpoints like
> HDFS, Hive access would need similar mappings).
> Hadoop code says opposite - there is an explicit check - if
> realm is empty, auth_to_local rules are not applied
>
> [https://github.com/apache/hadoop/blob/release-2.7.1/hadoop-common-project/hadoop-auth/src/main/java/org/apache/hadoop/security/authentication/util/KerberosName.java#L376]
>
> rules application starts down below on line 383
>
> so it never reaches rules transformations loop if realm is empty.
>
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
[jira] [Commented] (KNOX-1765) option to append @realm to usernames
[ https://issues.apache.org/jira/browse/KNOX-1765?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16784799#comment-16784799 ] Ruslan Dautkhanov commented on KNOX-1765: - [~krisden] I see now that we have realm appended correctly / as expected.. having issues at Livy level now - it seems translates *@* to *%40* in URI and it might cause some issues.. still troubleshooting . Will report here if this solution worked for us. Thank you. > option to append @realm to usernames > > > Key: KNOX-1765 > URL: https://issues.apache.org/jira/browse/KNOX-1765 > Project: Apache Knox > Issue Type: Improvement > Components: Server >Affects Versions: 1.1.0, 1.2.0 >Reporter: Ruslan Dautkhanov >Assignee: Larry McCay >Priority: Critical > > We'd like Hadoop to map user names to short names. > > For auth_to_local to work, @realm part is mandatory. > > For example, Apache Knox if authenticates users using LDAP, > and then sends requests over to Livy, doesn't append realm. > > It seems we could duplicate rules from Hadoop's auth_to_local > using `livy.server.auth.kerberos.name_rules` but it doesn't work > for the same reason on Livy side. > Spin-off from https://issues.apache.org/jira/browse/LIVY-548 > as it seems Knox is the right place for this fix (as other endpoints like > HDFS, Hive access would need similar mappings). > Hadoop code says opposite - there is an explicit check - if > realm is empty, auth_to_local rules are not applied > > [https://github.com/apache/hadoop/blob/release-2.7.1/hadoop-common-project/hadoop-auth/src/main/java/org/apache/hadoop/security/authentication/util/KerberosName.java#L376] > > rules application starts down below on line 383 > > so it never reaches rules transformations loop if realm is empty. > -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Commented] (KNOX-1765) option to append @realm to usernames
[ https://issues.apache.org/jira/browse/KNOX-1765?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16780636#comment-16780636 ] Kevin Risden commented on KNOX-1765: [~Tagar] - Did the Concat Identity Assertion Provider work for you? > option to append @realm to usernames > > > Key: KNOX-1765 > URL: https://issues.apache.org/jira/browse/KNOX-1765 > Project: Apache Knox > Issue Type: Improvement > Components: Server >Affects Versions: 1.1.0, 1.2.0 >Reporter: Ruslan Dautkhanov >Assignee: Larry McCay >Priority: Critical > > We'd like Hadoop to map user names to short names. > > For auth_to_local to work, @realm part is mandatory. > > For example, Apache Knox if authenticates users using LDAP, > and then sends requests over to Livy, doesn't append realm. > > It seems we could duplicate rules from Hadoop's auth_to_local > using `livy.server.auth.kerberos.name_rules` but it doesn't work > for the same reason on Livy side. > Spin-off from https://issues.apache.org/jira/browse/LIVY-548 > as it seems Knox is the right place for this fix (as other endpoints like > HDFS, Hive access would need similar mappings). > Hadoop code says opposite - there is an explicit check - if > realm is empty, auth_to_local rules are not applied > > [https://github.com/apache/hadoop/blob/release-2.7.1/hadoop-common-project/hadoop-auth/src/main/java/org/apache/hadoop/security/authentication/util/KerberosName.java#L376] > > rules application starts down below on line 383 > > so it never reaches rules transformations loop if realm is empty. > -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Commented] (KNOX-1765) option to append @realm to usernames
[ https://issues.apache.org/jira/browse/KNOX-1765?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16773378#comment-16773378 ] Ruslan Dautkhanov commented on KNOX-1765: - [~lmccay] thanks a lot for the very detailed response. It seems that Concat identity assertion provider [1] would be a low-hanging fruit for us, and it may be exactly what we're looking for here... Even example at http://knox.apache.org/books/knox-1-2-0/user-guide.html#Concat+Identity+Assertion+Provider provides `_domain1 ` which is exactly what we'll be doing here too - just appending a static `@REALM ` to the username to have a principal name that Hadoop will accept for `auth_to_local` mapping. Thanks again! > option to append @realm to usernames > > > Key: KNOX-1765 > URL: https://issues.apache.org/jira/browse/KNOX-1765 > Project: Apache Knox > Issue Type: Improvement > Components: Server >Affects Versions: 1.1.0, 1.2.0 >Reporter: Ruslan Dautkhanov >Assignee: Larry McCay >Priority: Critical > > We'd like Hadoop to map user names to short names. > > For auth_to_local to work, @realm part is mandatory. > > For example, Apache Knox if authenticates users using LDAP, > and then sends requests over to Livy, doesn't append realm. > > It seems we could duplicate rules from Hadoop's auth_to_local > using `livy.server.auth.kerberos.name_rules` but it doesn't work > for the same reason on Livy side. > Spin-off from https://issues.apache.org/jira/browse/LIVY-548 > as it seems Knox is the right place for this fix (as other endpoints like > HDFS, Hive access would need similar mappings). > Hadoop code says opposite - there is an explicit check - if > realm is empty, auth_to_local rules are not applied > > [https://github.com/apache/hadoop/blob/release-2.7.1/hadoop-common-project/hadoop-auth/src/main/java/org/apache/hadoop/security/authentication/util/KerberosName.java#L376] > > rules application starts down below on line 383 > > so it never reaches rules transformations loop if realm is empty. > -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Commented] (KNOX-1765) option to append @realm to usernames
[ https://issues.apache.org/jira/browse/KNOX-1765?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16772464#comment-16772464 ] Larry McCay commented on KNOX-1765: --- However, while we wouldn't want to do make this a change in the core Knox idea of the impersonated identity, you can likely do exactly what you want with one of the existing identity assertion providers. For instance, there is a Concat identity assertion provider [1] that allows you to concatenate a string to the end of the asserted identity. There is also a Regular Expression identity assertion provider [2] which allows you to get more creative. Since an authenticated user in a given topology could be represented as being from any realm, it would be perfectly reasonable to just dedicate a topology to such a realm name. If you would rather a more complex mechanism that derives the realm from the server you could always implement your own identity assertion provider - very easy. Such a provider may make sense to contribute back even. The ability to affect the asserted identity within those providers is exactly what that type of provider was added for. Making any fundamental change to the core notion of the identity when then effect how identity assertion providers work which would be a bad idea. For instance, adding a realm to a username before some provider does its job on the principal on the way through may lead to unexpected results. # [http://knox.apache.org/books/knox-1-2-0/user-guide.html#Concat+Identity+Assertion+Provider] # [http://knox.apache.org/books/knox-1-2-0/user-guide.html#Regular+Expression+Identity+Assertion+Provider] > option to append @realm to usernames > > > Key: KNOX-1765 > URL: https://issues.apache.org/jira/browse/KNOX-1765 > Project: Apache Knox > Issue Type: Improvement > Components: Server >Affects Versions: 1.1.0, 1.2.0 >Reporter: Ruslan Dautkhanov >Assignee: Larry McCay >Priority: Critical > > We'd like Hadoop to map user names to short names. > > For auth_to_local to work, @realm part is mandatory. > > For example, Apache Knox if authenticates users using LDAP, > and then sends requests over to Livy, doesn't append realm. > > It seems we could duplicate rules from Hadoop's auth_to_local > using `livy.server.auth.kerberos.name_rules` but it doesn't work > for the same reason on Livy side. > Spin-off from https://issues.apache.org/jira/browse/LIVY-548 > as it seems Knox is the right place for this fix (as other endpoints like > HDFS, Hive access would need similar mappings). > Hadoop code says opposite - there is an explicit check - if > realm is empty, auth_to_local rules are not applied > > [https://github.com/apache/hadoop/blob/release-2.7.1/hadoop-common-project/hadoop-auth/src/main/java/org/apache/hadoop/security/authentication/util/KerberosName.java#L376] > > rules application starts down below on line 383 > > so it never reaches rules transformations loop if realm is empty. > -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Commented] (KNOX-1765) option to append @realm to usernames
[ https://issues.apache.org/jira/browse/KNOX-1765?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16772433#comment-16772433 ] Larry McCay commented on KNOX-1765: --- I don't believe this is something that we can/should do. Hadoop auth_to_local rules are distinct from those for C/kerberos and have never been part of the doas/impersonation model used by trusted proxies in Hadoop. Just for some more clarity, you are talking about adding an @realm to the doAs user? Such that the realm would be the kerberos realm for the Knox instance in a secure deployment. If that is the case, that seems like a pretty unnatural representation of the user principal considering that one of the primary reasons to use impersonation is to not use kerberos and the user may not be in the kerberos realm/KDC. Moreover, there are a number of applications/components across the Hadoop ecosystem that implement doas/impersonation on their own and there will not be consistent support for this change in principal propagation. This seems like a non-starter to me. > option to append @realm to usernames > > > Key: KNOX-1765 > URL: https://issues.apache.org/jira/browse/KNOX-1765 > Project: Apache Knox > Issue Type: Improvement > Components: Server >Affects Versions: 1.1.0, 1.2.0 >Reporter: Ruslan Dautkhanov >Priority: Critical > > We'd like Hadoop to map user names to short names. > > For auth_to_local to work, @realm part is mandatory. > > For example, Apache Knox if authenticates users using LDAP, > and then sends requests over to Livy, doesn't append realm. > > It seems we could duplicate rules from Hadoop's auth_to_local > using `livy.server.auth.kerberos.name_rules` but it doesn't work > for the same reason on Livy side. > Spin-off from https://issues.apache.org/jira/browse/LIVY-548 > as it seems Knox is the right place for this fix (as other endpoints like > HDFS, Hive access would need similar mappings). > Hadoop code says opposite - there is an explicit check - if > realm is empty, auth_to_local rules are not applied > > [https://github.com/apache/hadoop/blob/release-2.7.1/hadoop-common-project/hadoop-auth/src/main/java/org/apache/hadoop/security/authentication/util/KerberosName.java#L376] > > rules application starts down below on line 383 > > so it never reaches rules transformations loop if realm is empty. > -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Commented] (KNOX-1765) option to append @realm to usernames
[
https://issues.apache.org/jira/browse/KNOX-1765?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16772402#comment-16772402
]
Ruslan Dautkhanov commented on KNOX-1765:
-
also pasting my findings I shared in Livy user list and in LIVY-548
{panel}
Hadoop code has an explicit check - if realm is empty, auth_to_local rules are
not applied
[https://github.com/apache/hadoop/blob/release-2.7.1/hadoop-common-project/hadoop-auth/src/main/java/org/apache/hadoop/security/authentication/util/KerberosName.java#L376]
rules application starts down below on line 383
so it never reaches rules transformations loop if realm is empty.
We can argue that this is might be a Hadoop bug, as Kerberos C library
states empty realm is possible
[https://github.com/krb5/krb5/blob/krb5-1.17-final/src/lib/krb5/os/localauth_rule.c#L38]
Although in the same place it says it's can be dangerous -
{quote}which can be *dangerous in multi-realm environments*, but is our
historical behavior{quote}
So we can now say that "bug" is actually a security feature and Hadoop's
auth_to_local
implementation left this "historical behavior" out for a good reason.
I think the only way to enable auth_to_local for proxy authentication like in
Livy case
is to have a config setting in Livy to append a realm, like explained in
https://issues.apache.org/jira/browse/LIVY-548
Thank you,
Ruslan
{panel}
> option to append @realm to usernames
>
>
> Key: KNOX-1765
> URL: https://issues.apache.org/jira/browse/KNOX-1765
> Project: Apache Knox
> Issue Type: Improvement
> Components: Server
>Affects Versions: 1.1.0, 1.2.0
>Reporter: Ruslan Dautkhanov
>Priority: Critical
>
> We'd like Hadoop to map user names to short names.
>
> For auth_to_local to work, @realm part is mandatory.
>
> For example, Apache Knox if authenticates users using LDAP,
> and then sends requests over to Livy, doesn't append realm.
>
> It seems we could duplicate rules from Hadoop's auth_to_local
> using `livy.server.auth.kerberos.name_rules` but it doesn't work
> for the same reason on Livy side.
> Spin-off from https://issues.apache.org/jira/browse/LIVY-548
> as it seems Knox is the right place for this fix (as other endpoints like
> HDFS, Hive access would need similar mappings).
> Hadoop code says opposite - there is an explicit check - if
> realm is empty, auth_to_local rules are not applied
>
> [https://github.com/apache/hadoop/blob/release-2.7.1/hadoop-common-project/hadoop-auth/src/main/java/org/apache/hadoop/security/authentication/util/KerberosName.java#L376]
>
> rules application starts down below on line 383
>
> so it never reaches rules transformations loop if realm is empty.
>
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
[jira] [Commented] (KNOX-1765) option to append @realm to usernames
[ https://issues.apache.org/jira/browse/KNOX-1765?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16772396#comment-16772396 ] Ruslan Dautkhanov commented on KNOX-1765: - Thanks Kevin. Sure, I will post it in Knox user email list. Although I am pretty sure there is no workaround for this unfortunatally. This has also been discussed IBM developers of their Data Science Experience product that we're using. DSX has Knox bundled in. That's where we're running this issue into .. This is internal IBM issue for this - [https://github.ibm.com/PrivateCloud/dsx-integration/issues/1381] IBM Support nor Development teams don't have a good solution for this. Cloudera support doesn't ship / support Knox so we're on our own for this issue and that's why I opened this issue. [~jesus.alv] from IBM can probably chime in here too. > option to append @realm to usernames > > > Key: KNOX-1765 > URL: https://issues.apache.org/jira/browse/KNOX-1765 > Project: Apache Knox > Issue Type: Improvement > Components: Server >Affects Versions: 1.1.0, 1.2.0 >Reporter: Ruslan Dautkhanov >Priority: Critical > > We'd like Hadoop to map user names to short names. > > For auth_to_local to work, @realm part is mandatory. > > For example, Apache Knox if authenticates users using LDAP, > and then sends requests over to Livy, doesn't append realm. > > It seems we could duplicate rules from Hadoop's auth_to_local > using `livy.server.auth.kerberos.name_rules` but it doesn't work > for the same reason on Livy side. > Spin-off from https://issues.apache.org/jira/browse/LIVY-548 > as it seems Knox is the right place for this fix (as other endpoints like > HDFS, Hive access would need similar mappings). > Hadoop code says opposite - there is an explicit check - if > realm is empty, auth_to_local rules are not applied > > [https://github.com/apache/hadoop/blob/release-2.7.1/hadoop-common-project/hadoop-auth/src/main/java/org/apache/hadoop/security/authentication/util/KerberosName.java#L376] > > rules application starts down below on line 383 > > so it never reaches rules transformations loop if realm is empty. > -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Commented] (KNOX-1765) option to append @realm to usernames
[ https://issues.apache.org/jira/browse/KNOX-1765?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16772382#comment-16772382 ] Kevin Risden commented on KNOX-1765: Linking to mailing list post that hasn't been linked: http://mail-archives.apache.org/mod_mbox/livy-user/201901.mbox/%3CCACdThQ2rD07K1gpYNXHKczavNXdLhjieZy0SHY%2BM3VN8pZWyqQ%40mail.gmail.com%3E > option to append @realm to usernames > > > Key: KNOX-1765 > URL: https://issues.apache.org/jira/browse/KNOX-1765 > Project: Apache Knox > Issue Type: Improvement > Components: Server >Affects Versions: 1.1.0, 1.2.0 >Reporter: Ruslan Dautkhanov >Priority: Critical > > We'd like Hadoop to map user names to short names. > > For auth_to_local to work, @realm part is mandatory. > > For example, Apache Knox if authenticates users using LDAP, > and then sends requests over to Livy, doesn't append realm. > > It seems we could duplicate rules from Hadoop's auth_to_local > using `livy.server.auth.kerberos.name_rules` but it doesn't work > for the same reason on Livy side. > Spin-off from https://issues.apache.org/jira/browse/LIVY-548 > as it seems Knox is the right place for this fix (as other endpoints like > HDFS, Hive access would need similar mappings). > Hadoop code says opposite - there is an explicit check - if > realm is empty, auth_to_local rules are not applied > > [https://github.com/apache/hadoop/blob/release-2.7.1/hadoop-common-project/hadoop-auth/src/main/java/org/apache/hadoop/security/authentication/util/KerberosName.java#L376] > > rules application starts down below on line 383 > > so it never reaches rules transformations loop if realm is empty. > -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Commented] (KNOX-1765) option to append @realm to usernames
[ https://issues.apache.org/jira/browse/KNOX-1765?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16772375#comment-16772375 ] Kevin Risden commented on KNOX-1765: [~Tagar] - Please email the Knox user mailing list to see if this is something other users have run across. [https://knox.apache.org/mailing-lists.html] I have never seen this be a requirement across a lot of different environments. > option to append @realm to usernames > > > Key: KNOX-1765 > URL: https://issues.apache.org/jira/browse/KNOX-1765 > Project: Apache Knox > Issue Type: Improvement > Components: Server >Affects Versions: 1.1.0, 1.2.0 >Reporter: Ruslan Dautkhanov >Priority: Critical > > We'd like Hadoop to map user names to short names. > > For auth_to_local to work, @realm part is mandatory. > > For example, Apache Knox if authenticates users using LDAP, > and then sends requests over to Livy, doesn't append realm. > > It seems we could duplicate rules from Hadoop's auth_to_local > using `livy.server.auth.kerberos.name_rules` but it doesn't work > for the same reason on Livy side. > Spin-off from https://issues.apache.org/jira/browse/LIVY-548 > as it seems Knox is the right place for this fix (as other endpoints like > HDFS, Hive access would need similar mappings). > Hadoop code says opposite - there is an explicit check - if > realm is empty, auth_to_local rules are not applied > > [https://github.com/apache/hadoop/blob/release-2.7.1/hadoop-common-project/hadoop-auth/src/main/java/org/apache/hadoop/security/authentication/util/KerberosName.java#L376] > > rules application starts down below on line 383 > > so it never reaches rules transformations loop if realm is empty. > -- This message was sent by Atlassian JIRA (v7.6.3#76005)
