hadoop-common-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Bolke de Bruin (JIRA)" <j...@apache.org>
Subject [jira] [Comment Edited] (HADOOP-15996) Plugin interface to support more complex usernames in Hadoop
Date Fri, 21 Dec 2018 17:16:00 GMT

    [ https://issues.apache.org/jira/browse/HADOOP-15996?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16726902#comment-16726902
] 

Bolke de Bruin edited comment on HADOOP-15996 at 12/21/18 5:15 PM:
-------------------------------------------------------------------

0002 patch version cleans up the code a little bit and adds / fixes documentation

 

[~eyang] I'm still a bit puzzled why it is not picked up in your config. Tests do cover the
'mapping' (see TestUsergroupInformation). Did you recompile hadoop-common as well? Setting
the mapping happens in HadoopKerberosName as happens with NAME_RULES.

 

[~lmccay] Documentation corrected and updated. PTAL.


was (Author: bolke):
0002 patch version cleans up the code a little bit and adds / fixes documentation

 

[~eyang] I'm still a bit puzzled why it is not picked up in your config. Tests do cover the
'mapping' (see TestUsergroupInformation). Did you recompile hadoop-common as well? Setting
the mapping happens in HadoopKerberosName as happens with NAME_RULES.

> Plugin interface to support more complex usernames in Hadoop
> ------------------------------------------------------------
>
>                 Key: HADOOP-15996
>                 URL: https://issues.apache.org/jira/browse/HADOOP-15996
>             Project: Hadoop Common
>          Issue Type: New Feature
>          Components: security
>            Reporter: Eric Yang
>            Assignee: Bolke de Bruin
>            Priority: Major
>         Attachments: 0001-HADOOP-15996-Make-auth-to-local-configurable.patch, 0001-Simple-trial-of-using-krb5.conf-for-auth_to_local-ru.patch,
0002-HADOOP-15996-Make-auth-to-local-configurable.patch
>
>
> Hadoop does not allow support of @ character in username in recent security mailing list
vote to revert HADOOP-12751.  Hadoop auth_to_local rule must match to authorize user to login
to Hadoop cluster.  This design does not work well in multi-realm environment where identical
username between two realms do not map to the same user.  There is also possibility that
lossy regex can incorrectly map users.  In the interest of supporting multi-realms, it maybe
preferred to pass principal name without rewrite to uniquely distinguish users.  This jira
is to revisit if Hadoop can support full principal names without rewrite and provide a plugin
to override Hadoop's default implementation of auth_to_local for multi-realm use case.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

---------------------------------------------------------------------
To unsubscribe, e-mail: common-issues-unsubscribe@hadoop.apache.org
For additional commands, e-mail: common-issues-help@hadoop.apache.org


Mime
View raw message