Mailing-List: contact common-issues-help@hadoop.apache.org; run by ezmlm
Precedence: bulk
Reply-To: common-issues@hadoop.apache.org
Date: Fri, 12 Feb 2016 23:32:18 +0000 (UTC)
From: "Bolke de Bruin (JIRA)" <jira@apache.org>
To: common-issues@hadoop.apache.org
Message-ID: <JIRA.12935225.1454094690000.42978.1455319938157@Atlassian.JIRA>
In-Reply-To: <JIRA.12935225.1454094690000@Atlassian.JIRA>
References: <JIRA.12935225.1454094690000@Atlassian.JIRA>
 <JIRA.12935225.1454094690770@arcas>
Subject: [jira] [Commented] (HADOOP-12751) While using kerberos Hadoop
 incorrectly assumes names with '@' to be non-simple
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 7bit


    [ https://issues.apache.org/jira/browse/HADOOP-12751?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15145551#comment-15145551 ] 

Bolke de Bruin commented on HADOOP-12751:
-----------------------------------------

Reporting on local testing:

/etc/passwd:
bolke/:x:1017:1017::/home/bolke:/bin/bash

# HDFS
hdfs dfs -mkdir /test
hdfs dfs -chown bolke/ /test

hdfs dfs -ls /
Found 9 items
drwxrwxrwx   - yarn   hadoop          0 2016-01-28 19:28 /app-logs
drwxr-xr-x   - hdfs   hdfs            0 2016-01-28 19:27 /apps
drwxr-xr-x   - yarn   hadoop          0 2016-01-28 19:24 /ats
drwxr-xr-x   - hdfs   hdfs            0 2016-01-28 19:24 /hdp
drwxr-xr-x   - mapred hdfs            0 2016-01-28 19:24 /mapred
drwxrwxrwx   - mapred hadoop          0 2016-01-28 19:24 /mr-history
drwxr-xr-x   - bolke/ hdfs            0 2016-02-12 22:22 /test
drwxrwxrwx   - hdfs   hdfs            0 2016-02-02 09:58 /tmp
drwxr-xr-x   - hdfs   hdfs            0 2016-01-28 19:27 /user

# Hive has small issue not allowing @ or / in separate code path, patch has been submitted.
# Zookeeper maintains separate KerberosName and will need to be updated (but we havent seen any issues)

We havent been able to find regressions in our (admittedly) small scale testing. We did test however on kerberized and non-kerberized clusters.

Please advise how to proceed (will update patch to fix tests). 

> While using kerberos Hadoop incorrectly assumes names with '@' to be non-simple
> -------------------------------------------------------------------------------
>
>                 Key: HADOOP-12751
>                 URL: https://issues.apache.org/jira/browse/HADOOP-12751
>             Project: Hadoop Common
>          Issue Type: Bug
>          Components: security
>    Affects Versions: 2.7.2
>            Reporter: Bolke de Bruin
>            Priority: Critical
>              Labels: kerberos
>         Attachments: 0001-HADOOP-12751-leave-user-validation-to-os.patch, 0002-HADOOP-12751-leave-user-validation-to-os.patch, 0003-HADOOP-12751-leave-user-validation-to-os.patch, 0004-HADOOP-12751-leave-user-validation-to-os.patch
>
>
> In the scenario of a trust between two directories, eg. FreeIPA (ipa.local) and Active Directory (ad.local) users can be made available on the OS level by something like sssd. The trusted users will be of the form 'user@ad.local' while other users are will not contain the domain. Executing 'id -Gn user@ad.local' will successfully return the groups the user belongs to if configured correctly. 
> However, it is assumed by Hadoop that users of the format with '@' cannot be correct. This code is in KerberosName.java and seems to be a validator if the 'auth_to_local' rules are applied correctly.
> In my opinion this should be removed or changed to a different kind of check or maybe logged as a warning while still proceeding, as the current behavior limits integration possibilities with other standard tools.
> Workaround are difficult to apply (by having a rewrite by system tools to for example user_ad_local) due to down stream consequences.


--
This message was sent by Atlassian JIRA
(v6.3.4#6332)