hadoop-common-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Allen Wittenauer ...@altiscale.com>
Subject Re: [RFE] Support MIT Kerberos localauth plugin API
Date Mon, 23 Feb 2015 16:47:22 GMT

	The big question is whether or not Java’s implementation of Kerberos supports it. If so,
which JDK release.  Java’s implementation tends to run a bit behind MIT.  Additionally,
there is a general reluctance to move Hadoop’s baseline Java version to something even supported
until user outcry demands it.  So I’d expect support to be a long way off.

	It’s worth noting that trunk exposes the hadoop kerbname command to help out with auth_to_local
mapping, BTW.

On Feb 23, 2015, at 2:12 AM, Sunny Cheung <sunny.cheung@centrify.com> wrote:

> Hi Hadoop Common developers,
> 
> I am writing to seek your opinion about a feature request: support MIT Kerberos localauth
plugin API [1].
> 
> Hadoop currently provides the hadoop.security.auth_to_local setting to map Kerberos principal
to OS user account [2][3]. However, the regex-based mappings (which mimics krb5.conf auth_to_local)
could be difficult to use in complex scenarios. Therefore, MIT Kerberos 1.12 added a plugin
interface to control krb5_aname_to_localname and krb5_kuserok behavior. And system daemon
SSSD (RHEL/Fedora) has already implemented a plugin to leverage this feature [4].
> 
> Is that possible for Hadoop to support a plugin API similar to localauth (when Kerberos
security is enabled)? Thanks.
> 
> References:
> [1] Local authorization interface (localauth)
> http://web.mit.edu/kerberos/krb5-1.12/doc/plugindev/localauth.html
> [2] Hadoop in Secure Mode - Mapping from Kerberos principal to OS user account
> http://hadoop.apache.org/docs/current/hadoop-project-dist/hadoop-common/SecureMode.html#Mapping_from_Kerberos_principal_to_OS_user_account
> [3] Need mapping from long principal names to local OS user names
> https://issues.apache.org/jira/browse/HADOOP-6526
> [4] Allow Kerberos Principals in getpwnam() calls
> https://fedorahosted.org/sssd/wiki/DesignDocs/NSSWithKerberosPrincipal


Mime
View raw message