hadoop-common-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Sunny Cheung <sunny.che...@centrify.com>
Subject [RFE] Support MIT Kerberos localauth plugin API
Date Mon, 23 Feb 2015 10:12:58 GMT
Hi Hadoop Common developers,

I am writing to seek your opinion about a feature request: support MIT Kerberos localauth
plugin API [1].

Hadoop currently provides the hadoop.security.auth_to_local setting to map Kerberos principal
to OS user account [2][3]. However, the regex-based mappings (which mimics krb5.conf auth_to_local)
could be difficult to use in complex scenarios. Therefore, MIT Kerberos 1.12 added a plugin
interface to control krb5_aname_to_localname and krb5_kuserok behavior. And system daemon
SSSD (RHEL/Fedora) has already implemented a plugin to leverage this feature [4].

Is that possible for Hadoop to support a plugin API similar to localauth (when Kerberos security
is enabled)? Thanks.

[1] Local authorization interface (localauth)
[2] Hadoop in Secure Mode - Mapping from Kerberos principal to OS user account
[3] Need mapping from long principal names to local OS user names
[4] Allow Kerberos Principals in getpwnam() calls

  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message