hadoop-common-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Sunny Cheung <sunny.che...@centrify.com>
Subject [RFE] Support MIT Kerberos localauth plugin API
Date Mon, 23 Feb 2015 10:12:58 GMT
Hi Hadoop Common developers,

I am writing to seek your opinion about a feature request: support MIT Kerberos localauth
plugin API [1].

Hadoop currently provides the hadoop.security.auth_to_local setting to map Kerberos principal
to OS user account [2][3]. However, the regex-based mappings (which mimics krb5.conf auth_to_local)
could be difficult to use in complex scenarios. Therefore, MIT Kerberos 1.12 added a plugin
interface to control krb5_aname_to_localname and krb5_kuserok behavior. And system daemon
SSSD (RHEL/Fedora) has already implemented a plugin to leverage this feature [4].

Is that possible for Hadoop to support a plugin API similar to localauth (when Kerberos security
is enabled)? Thanks.

References:
[1] Local authorization interface (localauth)
http://web.mit.edu/kerberos/krb5-1.12/doc/plugindev/localauth.html
[2] Hadoop in Secure Mode - Mapping from Kerberos principal to OS user account
http://hadoop.apache.org/docs/current/hadoop-project-dist/hadoop-common/SecureMode.html#Mapping_from_Kerberos_principal_to_OS_user_account
[3] Need mapping from long principal names to local OS user names
https://issues.apache.org/jira/browse/HADOOP-6526
[4] Allow Kerberos Principals in getpwnam() calls
https://fedorahosted.org/sssd/wiki/DesignDocs/NSSWithKerberosPrincipal

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message