ambari-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Tom Beerbower" <tbeerbo...@hortonworks.com>
Subject Re: Review Request 35073: Kerberos: Force principal names to resolve to lowercase lower usernames in auth-to-local default rules
Date Tue, 09 Jun 2015 12:33:29 GMT

-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/35073/#review87163
-----------------------------------------------------------

Ship it!


Ship It!

- Tom Beerbower


On June 9, 2015, 9:55 a.m., Emil Anca wrote:
> 
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/35073/
> -----------------------------------------------------------
> 
> (Updated June 9, 2015, 9:55 a.m.)
> 
> 
> Review request for Ambari, Robert Levas, Tom Beerbower, and Vitalyi Brodetskyi.
> 
> 
> Bugs: AMBARI-11687
>     https://issues.apache.org/jira/browse/AMBARI-11687
> 
> 
> Repository: ambari
> 
> 
> Description
> -------
> 
> Force principals names to resolve to lowercase local usernames in auth-to-local rules.
This will help when the KDC is an MIT KDC or an  Active Directory and user accounts have uppercase
letters that need to be converted to lowercase letters.  For example:  {{USER1234@REALM}}
should resolve to {{user1234}}.
> 
> *Solution*
> # Provide a kerberos-env configuration to optionally create case-insensitive rules
> # If creating case-insensitive rules, _generic_ auth-to-local rules should contain the
{{L}} option, as in:
> 
> ~~~
> RULE:[1:$1@$0](.*@REALM)s/@.*///L
> ~~~
> 
> 
> Diffs
> -----
> 
>   ambari-server/src/main/java/org/apache/ambari/server/controller/AuthToLocalBuilder.java
89d0b55 
>   ambari-server/src/main/java/org/apache/ambari/server/controller/KerberosHelperImpl.java
8a5d4fd 
>   ambari-server/src/main/resources/common-services/KERBEROS/1.10.3-10/configuration/kerberos-env.xml
6d720a0 
>   ambari-server/src/test/java/org/apache/ambari/server/controller/AuthToLocalBuilderTest.java
d1a2bd1 
>   ambari-server/src/test/java/org/apache/ambari/server/controller/KerberosHelperTest.java
f8ba840 
>   ambari-web/app/data/HDP2/site_properties.js 484ad38 
> 
> Diff: https://reviews.apache.org/r/35073/diff/
> 
> 
> Testing
> -------
> 
> * mvn clean test -pl AuthToLocalBuilderTest KerberosHelperImpl locally
> * Jenking tests in progress
> * Kerbernized/dekerbenized prop with / without prop while monitoring core-site auth to
local rules
> * Added service on kerberized cluster
> * Ran
>  
>    [root@c6401 ~]# hadoop org.apache.hadoop.security.HadoopKerberosName EAnca@EXAMPLE.COM
> Name: EAnca@EXAMPLE.COM to eanca
> 
> to test the mapping of the new generic Rule.
> 
> 
> Thanks,
> 
> Emil Anca
> 
>


Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message