Re: appending @realm to usernames

2019-01-17 Thread Ruslan Dautkhanov 
Hi Kevin,

Hortonworks link you posted doesn't say realm is optional.

Have you tried auth_to_local for usernames coming from Livy over to Hadoop
-
if username doesn't have a realm, did auth_to_local map usernames to short
names?

Actually Hadoop code says opposite - there is an explicit check - if
realm is empty, auth_to_local rules are not applied

https://github.com/apache/hadoop/blob/release-2.7.1/hadoop-common-project/hadoop-auth/src/main/java/org/apache/hadoop/security/authentication/util/KerberosName.java#L376

[image: image.png]

rules application starts down below on line 383

[image: image.png]

so it never reaches rules transformations loop if realm is empty.

We can argue that this is might be a Hadoop bug, as Kerberos C library
states empty realm is possible

https://github.com/krb5/krb5/blob/krb5-1.17-final/src/lib/krb5/os/localauth_rule.c#L38

Although in the same place it says it's can be dangerous -

which can be *dangerous in multi-realm environments*, but is our historical
> behavior


So we can now say that "bug" is actually a security feature and Hadoop's
auth_to_local
implementation left this "historical behavior" out for a good reason.

I think the only way to enable auth_to_local for proxy authentication like
in Livy case
is to have a config setting in Livy to append a realm, like explained in
https://issues.apache.org/jira/browse/LIVY-548


Thank you,
Ruslan Dautkhanov


On Thu, Jan 17, 2019 at 9:51 AM Kevin Risden  wrote:

> I don't think I follow your statement that @realm is mandatory. Auth
> to local is basically just a regex.
>
>
> https://community.hortonworks.com/articles/14463/auth-to-local-rules-syntax.html
>
> I don't know why you want to append the realm back anyway since
> usually the username is what you are after anyway.
>
> Kevin Risden
>
> On Tue, Jan 15, 2019 at 12:36 PM Ruslan Dautkhanov 
> wrote:
> >
> > We'd like Hadoop to map user names to short names.
> >
> > For auth_to_local to work, @realm part is mandatory.
> >
> > For example, Apache Knox if authenticates users using LDAP,
> > and then sends requests over to Livy, doesn't append realm.
> > Obviously LDAP, PAM etc authentications don't have kerberos
> > realms there.
> >
> > Is there is a way for append realm in Livy, before it sends
> > those requests over to Spark / Hadoop?
> >
> > It seems we could duplicate rules from Hadoop's auth_to_local
> > using `livy.server.auth.kerberos.name_rules` but it doesn't work
> > for the same reason (kerberos rules requires realm to be present).
> >
> > Also created https://issues.apache.org/jira/browse/LIVY-548
> >
> > Thank you for any ideas.
> >
> > --
> > Ruslan Dautkhanov
>

Re: appending @realm to usernames

2019-01-17 Thread Kevin Risden 
I don't think I follow your statement that @realm is mandatory. Auth
to local is basically just a regex.

https://community.hortonworks.com/articles/14463/auth-to-local-rules-syntax.html

I don't know why you want to append the realm back anyway since
usually the username is what you are after anyway.

Kevin Risden

On Tue, Jan 15, 2019 at 12:36 PM Ruslan Dautkhanov  wrote:
>
> We'd like Hadoop to map user names to short names.
>
> For auth_to_local to work, @realm part is mandatory.
>
> For example, Apache Knox if authenticates users using LDAP,
> and then sends requests over to Livy, doesn't append realm.
> Obviously LDAP, PAM etc authentications don't have kerberos
> realms there.
>
> Is there is a way for append realm in Livy, before it sends
> those requests over to Spark / Hadoop?
>
> It seems we could duplicate rules from Hadoop's auth_to_local
> using `livy.server.auth.kerberos.name_rules` but it doesn't work
> for the same reason (kerberos rules requires realm to be present).
>
> Also created https://issues.apache.org/jira/browse/LIVY-548
>
> Thank you for any ideas.
>
> --
> Ruslan Dautkhanov