hbase-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Anders Ossowicki <...@vennemindenet.dk>
Subject Kerberized thrift and username normalization
Date Mon, 27 Mar 2017 11:54:59 GMT
Hi,

We've recently enabled Kerberos authentication on the thrift gateway
for hbase (hbase.thrift.security.qop=auth). The underlying hbase and
hadoop setup is already fully kerberized.

We are also using the AccessController, so usernames are important for
mapping permissions.

We've run into an issue with normalizing usernames, that I'm not sure
I can see a solution to:

When a user authenticates with thrift, thrift strips the realm:

https://github.com/apache/hbase/blob/master/hbase-thrift/src/main/java/org/apache/hadoop/hbase/thrift/ThriftServerRunner.java#L543

String userName = SecurityUtil.getUserFromPrincipal(authzid);

  public static String getUserFromPrincipal(final String principal) {
    int i = principal.indexOf("/");
    if (i == -1) {
      i = principal.indexOf("@");
    }
    return (i > -1) ? principal.substring(0, i) : principal;
  }

So foo@EXAMPLE.ORG becomes 'foo'. This is then sent onwards to hbase.

However, we would like to normalize usernames, since we have users on
platforms where usernames are case insensitive. We have an
auth_to_local rule to do this for hbase, hdfs and other hadoop
services, but these rules do not fire unless hadoop gets the full
principal. Since thrift only sends 'foo', no further normalization is
done.

Is there a good reason for removing the realm in thrift? Presumably
that decision should be done by hbase itself if need be (with the
auth_to_local rules), but I guess I might be missing something.

-- 
Anders Ossowicki

Mime
View raw message