ambari-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Emil Anca" <ea...@hortonworks.com>
Subject Re: Review Request 35073: Kerberos: Force principal names to resolve to lowercase lower usernames in auth-to-local default rules
Date Tue, 09 Jun 2015 09:55:25 GMT

-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/35073/
-----------------------------------------------------------

(Updated June 9, 2015, 9:55 a.m.)


Review request for Ambari, Robert Levas, Tom Beerbower, and Vitalyi Brodetskyi.


Changes
-------

Addressed reviewer suggestions.


Bugs: AMBARI-11687
    https://issues.apache.org/jira/browse/AMBARI-11687


Repository: ambari


Description
-------

Force principals names to resolve to lowercase local usernames in auth-to-local rules. This
will help when the KDC is an MIT KDC or an  Active Directory and user accounts have uppercase
letters that need to be converted to lowercase letters.  For example:  {{USER1234@REALM}}
should resolve to {{user1234}}.

*Solution*
# Provide a kerberos-env configuration to optionally create case-insensitive rules
# If creating case-insensitive rules, _generic_ auth-to-local rules should contain the {{L}}
option, as in:

~~~
RULE:[1:$1@$0](.*@REALM)s/@.*///L
~~~


Diffs (updated)
-----

  ambari-server/src/main/java/org/apache/ambari/server/controller/AuthToLocalBuilder.java
89d0b55 
  ambari-server/src/main/java/org/apache/ambari/server/controller/KerberosHelperImpl.java
8a5d4fd 
  ambari-server/src/main/resources/common-services/KERBEROS/1.10.3-10/configuration/kerberos-env.xml
6d720a0 
  ambari-server/src/test/java/org/apache/ambari/server/controller/AuthToLocalBuilderTest.java
d1a2bd1 
  ambari-server/src/test/java/org/apache/ambari/server/controller/KerberosHelperTest.java
f8ba840 
  ambari-web/app/data/HDP2/site_properties.js 484ad38 

Diff: https://reviews.apache.org/r/35073/diff/


Testing (updated)
-------

* mvn clean test -pl AuthToLocalBuilderTest KerberosHelperImpl locally
* Jenking tests in progress
* Kerbernized/dekerbenized prop with / without prop while monitoring core-site auth to local
rules
* Added service on kerberized cluster
* Ran
 
   [root@c6401 ~]# hadoop org.apache.hadoop.security.HadoopKerberosName EAnca@EXAMPLE.COM
Name: EAnca@EXAMPLE.COM to eanca

to test the mapping of the new generic Rule.


Thanks,

Emil Anca


Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message