hadoop-common-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Steve Loughran (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (HADOOP-12751) While using kerberos Hadoop incorrectly assumes names with '@' to be non-simple
Date Wed, 13 Apr 2016 10:16:25 GMT

    [ https://issues.apache.org/jira/browse/HADOOP-12751?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15239016#comment-15239016
] 

Steve Loughran commented on HADOOP-12751:
-----------------------------------------

# we have to leave the auth code in hadoop-auth; things downstream sometimes import that specific
JAR and expect kerberos to be there. (I don't know why the auth stuff isn't in hadoop-common;
that's an inconvenience and a mystery)
# and we can't move Configuration, not when it triggers the loading of core-default and core-site
XML, which would have to be in too, etc, etc.

Here's an alternate proposal.

# the logic to pattern check is retained, the check made
# .... but it's downgraded to a log@info. People can even edit log4j to make that go away
# kdiag is extended to do the pattern check, add an option to fail if the username considered
invalid

This way: no need to do config of the client, some information gets published to explain why
things aren't working, and KDiag does the full checking

> While using kerberos Hadoop incorrectly assumes names with '@' to be non-simple
> -------------------------------------------------------------------------------
>
>                 Key: HADOOP-12751
>                 URL: https://issues.apache.org/jira/browse/HADOOP-12751
>             Project: Hadoop Common
>          Issue Type: Bug
>          Components: security
>    Affects Versions: 2.7.2
>         Environment: kerberos
>            Reporter: Bolke de Bruin
>            Assignee: Bolke de Bruin
>            Priority: Critical
>              Labels: kerberos
>         Attachments: 0001-HADOOP-12751-leave-user-validation-to-os.patch, 0001-Remove-check-for-user-name-characters-and.patch,
0002-HADOOP-12751-leave-user-validation-to-os.patch, 0003-HADOOP-12751-leave-user-validation-to-os.patch,
0004-HADOOP-12751-leave-user-validation-to-os.patch
>
>
> In the scenario of a trust between two directories, eg. FreeIPA (ipa.local) and Active
Directory (ad.local) users can be made available on the OS level by something like sssd. The
trusted users will be of the form 'user@ad.local' while other users are will not contain the
domain. Executing 'id -Gn user@ad.local' will successfully return the groups the user belongs
to if configured correctly. 
> However, it is assumed by Hadoop that users of the format with '@' cannot be correct.
This code is in KerberosName.java and seems to be a validator if the 'auth_to_local' rules
are applied correctly.
> In my opinion this should be removed or changed to a different kind of check or maybe
logged as a warning while still proceeding, as the current behavior limits integration possibilities
with other standard tools.
> Workaround are difficult to apply (by having a rewrite by system tools to for example
user_ad_local) due to down stream consequences.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message