Hi, We've recently enabled Kerberos authentication on the thrift gateway for hbase (hbase.thrift.security.qop=auth). The underlying hbase and hadoop setup is already fully kerberized.
We are also using the AccessController, so usernames are important for mapping permissions. We've run into an issue with normalizing usernames, that I'm not sure I can see a solution to: When a user authenticates with thrift, thrift strips the realm: https://github.com/apache/hbase/blob/master/hbase-thrift/src/main/java/org/apache/hadoop/hbase/thrift/ThriftServerRunner.java#L543 String userName = SecurityUtil.getUserFromPrincipal(authzid); public static String getUserFromPrincipal(final String principal) { int i = principal.indexOf("/"); if (i == -1) { i = principal.indexOf("@"); } return (i > -1) ? principal.substring(0, i) : principal; } So [email protected] becomes 'foo'. This is then sent onwards to hbase. However, we would like to normalize usernames, since we have users on platforms where usernames are case insensitive. We have an auth_to_local rule to do this for hbase, hdfs and other hadoop services, but these rules do not fire unless hadoop gets the full principal. Since thrift only sends 'foo', no further normalization is done. Is there a good reason for removing the realm in thrift? Presumably that decision should be done by hbase itself if need be (with the auth_to_local rules), but I guess I might be missing something. -- Anders Ossowicki
