hadoop-common-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Bolke de Bruin (JIRA)" <j...@apache.org>
Subject [jira] [Created] (HADOOP-12751) While using kerberos Hadoop incorrectly assumes names with '@' to be non-simple
Date Fri, 29 Jan 2016 19:11:39 GMT
Bolke de Bruin created HADOOP-12751:
---------------------------------------

             Summary: While using kerberos Hadoop incorrectly assumes names with '@' to be
non-simple
                 Key: HADOOP-12751
                 URL: https://issues.apache.org/jira/browse/HADOOP-12751
             Project: Hadoop Common
          Issue Type: Bug
          Components: security
    Affects Versions: 2.7.2
            Reporter: Bolke de Bruin
            Priority: Critical


In the scenario of a trust between two directories, eg. FreeIPA (ipa.local) and Active Directory
(ad.local) users can be made available on the OS level by something like sssd. The trusted
users will be of the form 'user@ad.local' while other users are will not contain the domain.
Executing 'id -Gn user@ad.local' will successfully return the groups the user belongs to if
configured correctly. 

However, it is assumed by Hadoop that users of the format with '@' cannot be correct. This
code is in KerberosName.java and seems to be a validator if the 'auth_to_local' rules are
applied correctly.

In my opinion this should be removed or changed to a different kind of check or maybe logged
as a warning while still proceeding, as the current behavior limits integration possibilities
with other standard tools.

Workaround are difficult to apply (by having a rewrite by system tools to for example user_ad_local)
due to down stream consequences.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message