Return-Path: X-Original-To: apmail-hadoop-common-dev-archive@www.apache.org Delivered-To: apmail-hadoop-common-dev-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 6810417B5D for ; Mon, 23 Feb 2015 10:13:38 +0000 (UTC) Received: (qmail 36632 invoked by uid 500); 23 Feb 2015 10:13:27 -0000 Delivered-To: apmail-hadoop-common-dev-archive@hadoop.apache.org Received: (qmail 36560 invoked by uid 500); 23 Feb 2015 10:13:27 -0000 Mailing-List: contact common-dev-help@hadoop.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: common-dev@hadoop.apache.org Delivered-To: mailing list common-dev@hadoop.apache.org Received: (qmail 36541 invoked by uid 99); 23 Feb 2015 10:13:27 -0000 Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136) by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 23 Feb 2015 10:13:27 +0000 X-ASF-Spam-Status: No, hits=2.2 required=5.0 tests=HTML_MESSAGE X-Spam-Check-By: apache.org Received-SPF: unknown ~allip4:72.3.143.224 (athena.apache.org: encountered unrecognized mechanism during SPF processing of domain of sunny.cheung@centrify.com) Received: from [216.112.107.108] (HELO exch-07-02.centrify.com) (216.112.107.108) by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 23 Feb 2015 10:13:22 +0000 Received: from EXCH-07-02.centrify.com ([172.27.18.152]) by exch-07-02.centrify.com ([172.27.18.152]) with mapi; Mon, 23 Feb 2015 02:12:20 -0800 From: Sunny Cheung To: "common-dev@hadoop.apache.org" Date: Mon, 23 Feb 2015 02:12:58 -0800 Subject: [RFE] Support MIT Kerberos localauth plugin API Thread-Topic: [RFE] Support MIT Kerberos localauth plugin API Thread-Index: AdBPUFTALqkVPG1OT5avxNyLKpiKdA== Message-ID: <4171CAC09274D742BAA5454B63C0D51C6CF5DA0364@exch-07-02.centrify.com> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: acceptlanguage: en-US Content-Type: multipart/alternative; boundary="_000_4171CAC09274D742BAA5454B63C0D51C6CF5DA0364exch0702centr_" MIME-Version: 1.0 X-Virus-Checked: Checked by ClamAV on apache.org --_000_4171CAC09274D742BAA5454B63C0D51C6CF5DA0364exch0702centr_ Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Hi Hadoop Common developers, I am writing to seek your opinion about a feature request: support MIT Kerb= eros localauth plugin API [1]. Hadoop currently provides the hadoop.security.auth_to_local setting to map = Kerberos principal to OS user account [2][3]. However, the regex-based mapp= ings (which mimics krb5.conf auth_to_local) could be difficult to use in co= mplex scenarios. Therefore, MIT Kerberos 1.12 added a plugin interface to c= ontrol krb5_aname_to_localname and krb5_kuserok behavior. And system daemon= SSSD (RHEL/Fedora) has already implemented a plugin to leverage this featu= re [4]. Is that possible for Hadoop to support a plugin API similar to localauth (w= hen Kerberos security is enabled)? Thanks. References: [1] Local authorization interface (localauth) http://web.mit.edu/kerberos/krb5-1.12/doc/plugindev/localauth.html [2] Hadoop in Secure Mode - Mapping from Kerberos principal to OS user acco= unt http://hadoop.apache.org/docs/current/hadoop-project-dist/hadoop-common/Sec= ureMode.html#Mapping_from_Kerberos_principal_to_OS_user_account [3] Need mapping from long principal names to local OS user names https://issues.apache.org/jira/browse/HADOOP-6526 [4] Allow Kerberos Principals in getpwnam() calls https://fedorahosted.org/sssd/wiki/DesignDocs/NSSWithKerberosPrincipal --_000_4171CAC09274D742BAA5454B63C0D51C6CF5DA0364exch0702centr_--