Hi Kevin,
Hortonworks link you posted doesn't say realm is optional.
Have you tried auth_to_local for usernames coming from Livy over to Hadoop
-
if username doesn't have a realm, did auth_to_local map usernames to short
names?
Actually Hadoop code says opposite - there is an explicit check - if
realm is empty, auth_to_local rules are not applied
https://github.com/apache/hadoop/blob/release-2.7.1/hadoop-common-project/hadoop-auth/src/main/java/org/apache/hadoop/security/authentication/util/KerberosName.java#L376
[image: image.png]
rules application starts down below on line 383
[image: image.png]
so it never reaches rules transformations loop if realm is empty.
We can argue that this is might be a Hadoop bug, as Kerberos C library
states empty realm is possible
https://github.com/krb5/krb5/blob/krb5-1.17-final/src/lib/krb5/os/localauth_rule.c#L38
Although in the same place it says it's can be dangerous -
which can be *dangerous in multi-realm environments*, but is our historical
> behavior
So we can now say that "bug" is actually a security feature and Hadoop's
auth_to_local
implementation left this "historical behavior" out for a good reason.
I think the only way to enable auth_to_local for proxy authentication like
in Livy case
is to have a config setting in Livy to append a realm, like explained in
https://issues.apache.org/jira/browse/LIVY-548
Thank you,
Ruslan Dautkhanov
On Thu, Jan 17, 2019 at 9:51 AM Kevin Risden wrote:
> I don't think I follow your statement that @realm is mandatory. Auth
> to local is basically just a regex.
>
>
> https://community.hortonworks.com/articles/14463/auth-to-local-rules-syntax.html
>
> I don't know why you want to append the realm back anyway since
> usually the username is what you are after anyway.
>
> Kevin Risden
>
> On Tue, Jan 15, 2019 at 12:36 PM Ruslan Dautkhanov
> wrote:
> >
> > We'd like Hadoop to map user names to short names.
> >
> > For auth_to_local to work, @realm part is mandatory.
> >
> > For example, Apache Knox if authenticates users using LDAP,
> > and then sends requests over to Livy, doesn't append realm.
> > Obviously LDAP, PAM etc authentications don't have kerberos
> > realms there.
> >
> > Is there is a way for append realm in Livy, before it sends
> > those requests over to Spark / Hadoop?
> >
> > It seems we could duplicate rules from Hadoop's auth_to_local
> > using `livy.server.auth.kerberos.name_rules` but it doesn't work
> > for the same reason (kerberos rules requires realm to be present).
> >
> > Also created https://issues.apache.org/jira/browse/LIVY-548
> >
> > Thank you for any ideas.
> >
> > --
> > Ruslan Dautkhanov
>