hadoop-common-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Bolke de Bruin (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (HADOOP-16023) Support system /etc/krb5.conf for auth_to_local rules
Date Tue, 05 Feb 2019 21:09:00 GMT

    [ https://issues.apache.org/jira/browse/HADOOP-16023?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16761222#comment-16761222
] 

Bolke de Bruin commented on HADOOP-16023:
-----------------------------------------

[~eyang] sorry some updates 
 # Patch landed in Kerby to add extra support, but might ask to revert it as I was mistaken
in the allowed formats
 # The JDK issue was inccorect

So that means we can use the JDK (8+) version to rely on system configured krb5.conf and use
Hadoop's parsing. This is quite easy and should probably be the best course for now. (a)

I've worked on making it fully native, but that requires wrapping quite a lot of the c library
(basically the whole .h file). (b)

So in the next week or 2 I should be able to free up some time to do (a) unless you think
(b) makes more sense.

> Support system /etc/krb5.conf for auth_to_local rules
> -----------------------------------------------------
>
>                 Key: HADOOP-16023
>                 URL: https://issues.apache.org/jira/browse/HADOOP-16023
>             Project: Hadoop Common
>          Issue Type: Improvement
>            Reporter: Bolke de Bruin
>            Assignee: Bolke de Bruin
>            Priority: Major
>              Labels: security
>
> Hadoop has long maintained its own configuration for Kerberos' auth_to_local rules. To
the user this is counter intuitive and increases the complexity of maintaining a secure system
as the normal way of configuring these auth_to_local rules is done in the site wide krb5.conf
usually /etc/krb5.conf.
> With HADOOP-15996 there is now support for configuring how Hadoop should evaluate auth_to_local
rules. A "system" mechanism should be added. 
> It should be investigated how to properly parse krb5.conf. JDK seems to be lacking as
it is unable to obtain auth_to_local rules due to a bug in its parser. Apache Kerby has an
implementation that could be used. A native (C) version is also a possibility. 



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

---------------------------------------------------------------------
To unsubscribe, e-mail: common-issues-unsubscribe@hadoop.apache.org
For additional commands, e-mail: common-issues-help@hadoop.apache.org


Mime
View raw message