Return-Path: X-Original-To: apmail-ambari-dev-archive@www.apache.org Delivered-To: apmail-ambari-dev-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 7072210338 for ; Sat, 6 Jun 2015 10:56:11 +0000 (UTC) Received: (qmail 98520 invoked by uid 500); 6 Jun 2015 10:56:11 -0000 Delivered-To: apmail-ambari-dev-archive@ambari.apache.org Received: (qmail 98481 invoked by uid 500); 6 Jun 2015 10:56:11 -0000 Mailing-List: contact dev-help@ambari.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@ambari.apache.org Delivered-To: mailing list dev@ambari.apache.org Received: (qmail 98467 invoked by uid 99); 6 Jun 2015 10:56:11 -0000 Received: from reviews-vm.apache.org (HELO reviews.apache.org) (140.211.11.40) by apache.org (qpsmtpd/0.29) with ESMTP; Sat, 06 Jun 2015 10:56:11 +0000 Received: from reviews.apache.org (localhost [127.0.0.1]) by reviews.apache.org (Postfix) with ESMTP id 6138F1C02B5; Sat, 6 Jun 2015 10:56:10 +0000 (UTC) Content-Type: multipart/alternative; boundary="===============2113006274059543421==" MIME-Version: 1.0 Subject: Re: Review Request 35073: Kerberos: Force principal names to resolve to lowercase lower usernames in auth-to-local default rules From: "Robert Levas" To: "Robert Levas" , "Vitalyi Brodetskyi" Cc: "Emil Anca" , "Ambari" Date: Sat, 06 Jun 2015 10:56:10 -0000 Message-ID: <20150606105610.7996.16491@reviews.apache.org> X-ReviewBoard-URL: https://reviews.apache.org/ Auto-Submitted: auto-generated Sender: "Robert Levas" X-ReviewGroup: Ambari X-ReviewRequest-URL: https://reviews.apache.org/r/35073/ X-Sender: "Robert Levas" References: <20150605135128.7996.44431@reviews.apache.org> In-Reply-To: <20150605135128.7996.44431@reviews.apache.org> Reply-To: "Robert Levas" X-ReviewRequest-Repository: ambari --===============2113006274059543421== MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 7bit ----------------------------------------------------------- This is an automatically generated e-mail. To reply, visit: https://reviews.apache.org/r/35073/#review86908 ----------------------------------------------------------- Ship it! This looks good, but for some reason the number of `/` characters seems to be excessive. We should check to make sure this is correct. However it could be that the pattern is compressed due to unneeded data: `RULE:[1:$1@$0](.*@%s)s/@.*/(empty string replacment)/(no regex flags, usually g might go here)/L` Is 'L' a regex flag in this case or a special flag for the Hadoop auth-to-local rules processor? If testing was a success, than I guess the current format is correct. ambari-server/src/main/java/org/apache/ambari/server/controller/AuthToLocalBuilder.java This seems redundant. Could the flag be pulled out into a variable and appened as either and empty string or '//L' depending on the value of caseInsensitiveUser? Or maybe simply add the opation to the end if needed? ambari-server/src/main/java/org/apache/ambari/server/controller/KerberosHelperImpl.java This could be problematic in the event `kerberos-env/case_insensitive_username_rules` is not set (or `null`). Maybe use something like ``` boolean caseInsensitiveUser = "true".equalsIgnoreCase(existingConfigurations.get("kerberos-env").get("case_insensitive_username_rules")) ``` - Robert Levas On June 5, 2015, 9:51 a.m., Emil Anca wrote: > > ----------------------------------------------------------- > This is an automatically generated e-mail. To reply, visit: > https://reviews.apache.org/r/35073/ > ----------------------------------------------------------- > > (Updated June 5, 2015, 9:51 a.m.) > > > Review request for Ambari, Robert Levas and Vitalyi Brodetskyi. > > > Bugs: AMBARI-11687 > https://issues.apache.org/jira/browse/AMBARI-11687 > > > Repository: ambari > > > Description > ------- > > Force principals names to resolve to lowercase local usernames in auth-to-local rules. This will help when the KDC is an MIT KDC or an Active Directory and user accounts have uppercase letters that need to be converted to lowercase letters. For example: {{USER1234@REALM}} should resolve to {{user1234}}. > > *Solution* > # Provide a kerberos-env configuration to optionally create case-insensitive rules > # If creating case-insensitive rules, _generic_ auth-to-local rules should contain the {{L}} option, as in: > > ~~~ > RULE:[1:$1@$0](.*@REALM)s/@.*///L > ~~~ > > > Diffs > ----- > > ambari-server/src/main/java/org/apache/ambari/server/controller/AuthToLocalBuilder.java 89d0b55 > ambari-server/src/main/java/org/apache/ambari/server/controller/KerberosHelperImpl.java 76054b7 > ambari-server/src/main/resources/common-services/KERBEROS/1.10.3-10/configuration/kerberos-env.xml 6d720a0 > ambari-server/src/test/java/org/apache/ambari/server/controller/AuthToLocalBuilderTest.java d1a2bd1 > ambari-server/src/test/java/org/apache/ambari/server/controller/KerberosHelperTest.java 5744b53 > ambari-web/app/data/HDP2/site_properties.js d6ab273 > > Diff: https://reviews.apache.org/r/35073/diff/ > > > Testing > ------- > > * mvn clean test -pl AuthToLocalBuilderTest > * Kerbernized/dekerbenized prop with / without prop > * Added service on kerberized cluster > > > Thanks, > > Emil Anca > > --===============2113006274059543421==--