You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@livy.apache.org by Ruslan Dautkhanov <da...@gmail.com> on 2019/01/15 17:36:14 UTC
appending @realm to usernames
We'd like Hadoop to map user names to short names.
For auth_to_local to work, @realm part is mandatory.
For example, Apache Knox if authenticates users using LDAP,
and then sends requests over to Livy, doesn't append realm.
Obviously LDAP, PAM etc authentications don't have kerberos
realms there.
Is there is a way for append realm in Livy, before it sends
those requests over to Spark / Hadoop?
It seems we could duplicate rules from Hadoop's auth_to_local
using `livy.server.auth.kerberos.name_rules` but it doesn't work
for the same reason (kerberos rules requires realm to be present).
Also created https://issues.apache.org/jira/browse/LIVY-548
Thank you for any ideas.
--
Ruslan Dautkhanov
Re: appending @realm to usernames
Posted by Ruslan Dautkhanov <da...@gmail.com>.
Hi Kevin,
Hortonworks link you posted doesn't say realm is optional.
Have you tried auth_to_local for usernames coming from Livy over to Hadoop
-
if username doesn't have a realm, did auth_to_local map usernames to short
names?
Actually Hadoop code says opposite - there is an explicit check - if
realm is empty, auth_to_local rules are not applied
https://github.com/apache/hadoop/blob/release-2.7.1/hadoop-common-project/hadoop-auth/src/main/java/org/apache/hadoop/security/authentication/util/KerberosName.java#L376
[image: image.png]
rules application starts down below on line 383
[image: image.png]
so it never reaches rules transformations loop if realm is empty.
We can argue that this is might be a Hadoop bug, as Kerberos C library
states empty realm is possible
https://github.com/krb5/krb5/blob/krb5-1.17-final/src/lib/krb5/os/localauth_rule.c#L38
Although in the same place it says it's can be dangerous -
which can be *dangerous in multi-realm environments*, but is our historical
> behavior
So we can now say that "bug" is actually a security feature and Hadoop's
auth_to_local
implementation left this "historical behavior" out for a good reason.
I think the only way to enable auth_to_local for proxy authentication like
in Livy case
is to have a config setting in Livy to append a realm, like explained in
https://issues.apache.org/jira/browse/LIVY-548
Thank you,
Ruslan Dautkhanov
On Thu, Jan 17, 2019 at 9:51 AM Kevin Risden <kr...@apache.org> wrote:
> I don't think I follow your statement that @realm is mandatory. Auth
> to local is basically just a regex.
>
>
> https://community.hortonworks.com/articles/14463/auth-to-local-rules-syntax.html
>
> I don't know why you want to append the realm back anyway since
> usually the username is what you are after anyway.
>
> Kevin Risden
>
> On Tue, Jan 15, 2019 at 12:36 PM Ruslan Dautkhanov <da...@gmail.com>
> wrote:
> >
> > We'd like Hadoop to map user names to short names.
> >
> > For auth_to_local to work, @realm part is mandatory.
> >
> > For example, Apache Knox if authenticates users using LDAP,
> > and then sends requests over to Livy, doesn't append realm.
> > Obviously LDAP, PAM etc authentications don't have kerberos
> > realms there.
> >
> > Is there is a way for append realm in Livy, before it sends
> > those requests over to Spark / Hadoop?
> >
> > It seems we could duplicate rules from Hadoop's auth_to_local
> > using `livy.server.auth.kerberos.name_rules` but it doesn't work
> > for the same reason (kerberos rules requires realm to be present).
> >
> > Also created https://issues.apache.org/jira/browse/LIVY-548
> >
> > Thank you for any ideas.
> >
> > --
> > Ruslan Dautkhanov
>
Re: appending @realm to usernames
Posted by Kevin Risden <kr...@apache.org>.
I don't think I follow your statement that @realm is mandatory. Auth
to local is basically just a regex.
https://community.hortonworks.com/articles/14463/auth-to-local-rules-syntax.html
I don't know why you want to append the realm back anyway since
usually the username is what you are after anyway.
Kevin Risden
On Tue, Jan 15, 2019 at 12:36 PM Ruslan Dautkhanov <da...@gmail.com> wrote:
>
> We'd like Hadoop to map user names to short names.
>
> For auth_to_local to work, @realm part is mandatory.
>
> For example, Apache Knox if authenticates users using LDAP,
> and then sends requests over to Livy, doesn't append realm.
> Obviously LDAP, PAM etc authentications don't have kerberos
> realms there.
>
> Is there is a way for append realm in Livy, before it sends
> those requests over to Spark / Hadoop?
>
> It seems we could duplicate rules from Hadoop's auth_to_local
> using `livy.server.auth.kerberos.name_rules` but it doesn't work
> for the same reason (kerberos rules requires realm to be present).
>
> Also created https://issues.apache.org/jira/browse/LIVY-548
>
> Thank you for any ideas.
>
> --
> Ruslan Dautkhanov