hadoop-common-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Allen Wittenauer (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (HADOOP-14229) hadoop.security.auth_to_local example is incorrect in the documentation
Date Mon, 24 Apr 2017 15:40:04 GMT

    [ https://issues.apache.org/jira/browse/HADOOP-14229?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15981381#comment-15981381

Allen Wittenauer commented on HADOOP-14229:

I'm going to +1 with the caveat that this makes the docs a little more clear, but doesn't
really solve a key problem:

$ bin/hadoop kerbname nn/host2.domain@REALM.TLD
Name: nn/host2.domain@REALM.TLD to hdfs

This is sort of hinted at in the docs:

The default rule maps the principal host/full.qualified.domain.name@REALM.TLD to system user
host. The default rule will not be appropriate for most clusters.

It then goes on to provide the example rule which doesn't actually fix that warning and all
clusters still have super user access on every other cluster in the same realm.  At which
point it becomes clear the documentation is mostly an exercise in obfuscation.  You're better
off just using hdfs/, yarn/, etc for daemons and avoid all this mapping baloney anyway (which
is what most people that I know of do).

> hadoop.security.auth_to_local example is incorrect in the documentation
> -----------------------------------------------------------------------
>                 Key: HADOOP-14229
>                 URL: https://issues.apache.org/jira/browse/HADOOP-14229
>             Project: Hadoop Common
>          Issue Type: Bug
>            Reporter: Andras Bokor
>            Assignee: Andras Bokor
>         Attachments: HADOOP-14229.01.patch, HADOOP-14229.02.patch
> Let's see jhs as example:
> {code}RULE:[2:$1@$0](jhs/.*@.*REALM.TLD)s/.*/mapred/{code}
> That means principal has 2 components (jhs/myhost@REALM).
> The second column converts this to jhs@REALM. So the regex will not match on this since
regex expects / in the principal.
> My suggestion is
> {code}RULE:[2:$1](jhs)s/.*/mapred/{code}
> https://hadoop.apache.org/docs/current/hadoop-project-dist/hadoop-common/SecureMode.html

This message was sent by Atlassian JIRA

To unsubscribe, e-mail: common-issues-unsubscribe@hadoop.apache.org
For additional commands, e-mail: common-issues-help@hadoop.apache.org

View raw message