Mailing-List: contact dev-help@ambari.apache.org; run by ezmlm
Precedence: bulk
Reply-To: dev@ambari.apache.org
Content-Type: multipart/alternative;
 boundary="===============6829489371808900419=="
MIME-Version: 1.0
Subject: Re: Review Request 35073: Kerberos: Force principal names to resolve
 to lowercase lower usernames in auth-to-local default rules
From: "Robert Levas" <rlevas@hortonworks.com>
To: "Robert Levas" <rlevas@hortonworks.com>,
 "Vitalyi Brodetskyi" <vbrodetskyi@hortonworks.com>,
 "Tom Beerbower" <tbeerbower@hortonworks.com>
Cc: "Emil Anca" <eanca@hortonworks.com>, "Ambari" <dev@ambari.apache.org>
Date: Tue, 09 Jun 2015 11:17:06 -0000
Message-ID: <20150609111706.27735.94538@reviews.apache.org>
Auto-Submitted: auto-generated
Sender: "Robert Levas" <noreply@reviews.apache.org>
References: <20150609095525.27736.1206@reviews.apache.org>
In-Reply-To: <20150609095525.27736.1206@reviews.apache.org>
Reply-To: "Robert Levas" <rlevas@hortonworks.com>

--===============6829489371808900419==
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit


-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/35073/#review87159
-----------------------------------------------------------

Ship it!


ambari-server/src/main/java/org/apache/ambari/server/controller/KerberosHelperImpl.java
<https://reviews.apache.org/r/35073/#comment139480>

    A NPE will be thrown if `kerberos-env/case_insensitive_rules` is null or not present in the map.


- Robert Levas


On June 9, 2015, 5:55 a.m., Emil Anca wrote:
> 
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/35073/
> -----------------------------------------------------------
> 
> (Updated June 9, 2015, 5:55 a.m.)
> 
> 
> Review request for Ambari, Robert Levas, Tom Beerbower, and Vitalyi Brodetskyi.
> 
> 
> Bugs: AMBARI-11687
>     https://issues.apache.org/jira/browse/AMBARI-11687
> 
> 
> Repository: ambari
> 
> 
> Description
> -------
> 
> Force principals names to resolve to lowercase local usernames in auth-to-local rules. This will help when the KDC is an MIT KDC or an  Active Directory and user accounts have uppercase letters that need to be converted to lowercase letters.  For example:  {{USER1234@REALM}} should resolve to {{user1234}}.
> 
> *Solution*
> # Provide a kerberos-env configuration to optionally create case-insensitive rules
> # If creating case-insensitive rules, _generic_ auth-to-local rules should contain the {{L}} option, as in:
> 
> ~~~
> RULE:[1:$1@$0](.*@REALM)s/@.*///L
> ~~~
> 
> 
> Diffs
> -----
> 
>   ambari-server/src/main/java/org/apache/ambari/server/controller/AuthToLocalBuilder.java 89d0b55 
>   ambari-server/src/main/java/org/apache/ambari/server/controller/KerberosHelperImpl.java 8a5d4fd 
>   ambari-server/src/main/resources/common-services/KERBEROS/1.10.3-10/configuration/kerberos-env.xml 6d720a0 
>   ambari-server/src/test/java/org/apache/ambari/server/controller/AuthToLocalBuilderTest.java d1a2bd1 
>   ambari-server/src/test/java/org/apache/ambari/server/controller/KerberosHelperTest.java f8ba840 
>   ambari-web/app/data/HDP2/site_properties.js 484ad38 
> 
> Diff: https://reviews.apache.org/r/35073/diff/
> 
> 
> Testing
> -------
> 
> * mvn clean test -pl AuthToLocalBuilderTest KerberosHelperImpl locally
> * Jenking tests in progress
> * Kerbernized/dekerbenized prop with / without prop while monitoring core-site auth to local rules
> * Added service on kerberized cluster
> * Ran
>  
>    [root@c6401 ~]# hadoop org.apache.hadoop.security.HadoopKerberosName EAnca@EXAMPLE.COM
> Name: EAnca@EXAMPLE.COM to eanca
> 
> to test the mapping of the new generic Rule.
> 
> 
> Thanks,
> 
> Emil Anca
> 
>


--===============6829489371808900419==--