Hi Anders,
Your investigation is surprising to me! I would guess that it is
unintended that the auth_to_local rules would not be applied, and that
the realm removal is just done as a "convenience".
If you have the interest in fixing up the code, I'd be happy to review
it and help shepherd it in.
Anders Ossowicki wrote:
Hi,
We've recently enabled Kerberos authentication on the thrift gateway
for hbase (hbase.thrift.security.qop=auth). The underlying hbase and
hadoop setup is already fully kerberized.
We are also using the AccessController, so usernames are important for
mapping permissions.
We've run into an issue with normalizing usernames, that I'm not sure
I can see a solution to:
When a user authenticates with thrift, thrift strips the realm:
https://github.com/apache/hbase/blob/master/hbase-thrift/src/main/java/org/apache/hadoop/hbase/thrift/ThriftServerRunner.java#L543
String userName = SecurityUtil.getUserFromPrincipal(authzid);
public static String getUserFromPrincipal(final String principal) {
int i = principal.indexOf("/");
if (i == -1) {
i = principal.indexOf("@");
}
return (i> -1) ? principal.substring(0, i) : principal;
}
So [email protected] becomes 'foo'. This is then sent onwards to hbase.
However, we would like to normalize usernames, since we have users on
platforms where usernames are case insensitive. We have an
auth_to_local rule to do this for hbase, hdfs and other hadoop
services, but these rules do not fire unless hadoop gets the full
principal. Since thrift only sends 'foo', no further normalization is
done.
Is there a good reason for removing the realm in thrift? Presumably
that decision should be done by hbase itself if need be (with the
auth_to_local rules), but I guess I might be missing something.
