You are viewing a plain text version of this content. The canonical link for it is here.
Posted to common-issues@hadoop.apache.org by "Bolke de Bruin (JIRA)" <ji...@apache.org> on 2018/12/14 21:32:00 UTC
[jira] [Commented] (HADOOP-15996) Plugin interface to support more
complex usernames in Hadoop
[ https://issues.apache.org/jira/browse/HADOOP-15996?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16721798#comment-16721798 ]
Bolke de Bruin commented on HADOOP-15996:
-----------------------------------------
I think there are 3 types of plugin to be created.
# "system" -> using the native Kerberos Java interface to determine auth_to_local rules specified in krb5.conf and apply these according to MIT/Heimdal documentation. Use this in case Java 8 is available
# "compatible" -> Follows MIT/Heimdal evaluation, but rules are specified in Hadoop configuration. This is for Java 7 support, see below.
# "old_hadoop" (or "hadoop", "legacy") use the current implementation
(aside from maybe "custom" if we ant to support that).
For "system" most of the ground work is already in place, but there are a few things to consider.
* Hadoop already uses the native Kerberos interface in KerberosUtil, it only needs a extension (new method) to support accessing the right information
* While Kerberos 5 MIT/Heimdal both support multiple default realms (default_realm can actually list multiple realms) Hadoop and Java 7 don't
* Java 7 picks up the first auth_to_local specification and returns it as a String separated by " ". There is no way to determine if this actually the auth_to_local belonging to the realm we want to evaluate for without changing a field from private to public (in Java 8 it is possible without resorting to this).
* We cannot 'copy' the Java 8 version as it is under GPL
* Some parsing needs to be done in order to split the rules properly when returned from Java 7
Ie. if we don't want to resort to declaring a private field public we cannot guarantee security in Java 7 and it will be hard anyway. Therefore, I think we should have "system" only available to java 8 users, thus Hadoop >= 3.
This can be managed without additional dependencies as all required are part of the JDK.
> Plugin interface to support more complex usernames in Hadoop
> ------------------------------------------------------------
>
> Key: HADOOP-15996
> URL: https://issues.apache.org/jira/browse/HADOOP-15996
> Project: Hadoop Common
> Issue Type: New Feature
> Components: security
> Reporter: Eric Yang
> Priority: Major
>
> Hadoop does not allow support of @ character in username in recent security mailing list vote to revert HADOOP-12751. Hadoop auth_to_local rule must match to authorize user to login to Hadoop cluster. This design does not work well in multi-realm environment where identical username between two realms do not map to the same user. There is also possibility that lossy regex can incorrectly map users. In the interest of supporting multi-realms, it maybe preferred to pass principal name without rewrite to uniquely distinguish users. This jira is to revisit if Hadoop can support full principal names without rewrite and provide a plugin to override Hadoop's default implementation of auth_to_local for multi-realm use case.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
---------------------------------------------------------------------
To unsubscribe, e-mail: common-issues-unsubscribe@hadoop.apache.org
For additional commands, e-mail: common-issues-help@hadoop.apache.org