You are viewing a plain text version of this content. The canonical link for it is here.

Posted to common-issues@hadoop.apache.org by "Bolke de Bruin (JIRA)" <ji...@apache.org> on 2019/02/05 22:38:00 UTC

[jira] [Comment Edited] (HADOOP-16023) Support system /etc/krb5.conf for auth_to_local rules

    [ https://issues.apache.org/jira/browse/HADOOP-16023?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16761280#comment-16761280 ] 

Bolke de Bruin edited comment on HADOOP-16023 at 2/5/19 10:37 PM:
------------------------------------------------------------------

I initially thought that the following is allowed (it isn't)

 
{code:java}
 
ATHENA.MIT.EDU = {
  auth_to_local = {
     rule1
     rule2
  }
}
{code}
 

Don't worry about it as it is not relevant and actually makes it easier. The krb5.conf parser of the JDK is fine and we can use the evaluator of Hadoop for the rules, I just had been staring at too many man pages and krb5.conf's.


was (Author: bolke):
I initially thought that the following is allowed:

 
{code:java}
 
ATHENA.MIT.EDU = {
  auth_to_local = {
     rule1
     rule2
  }
}
{code}
 

Don't worry about it as it is not relevant and actually makes it easier. The krb5.conf parser of the JDK is fine and we can use the evaluator of Hadoop for the rules, I just had been staring at too many man pages and krb5.conf's.

> Support system /etc/krb5.conf for auth_to_local rules
> -----------------------------------------------------
>
>                 Key: HADOOP-16023
>                 URL: https://issues.apache.org/jira/browse/HADOOP-16023
>             Project: Hadoop Common
>          Issue Type: Improvement
>            Reporter: Bolke de Bruin
>            Assignee: Bolke de Bruin
>            Priority: Major
>              Labels: security
>
> Hadoop has long maintained its own configuration for Kerberos' auth_to_local rules. To the user this is counter intuitive and increases the complexity of maintaining a secure system as the normal way of configuring these auth_to_local rules is done in the site wide krb5.conf usually /etc/krb5.conf.
> With HADOOP-15996 there is now support for configuring how Hadoop should evaluate auth_to_local rules. A "system" mechanism should be added. 
> It should be investigated how to properly parse krb5.conf. JDK seems to be lacking as it is unable to obtain auth_to_local rules due to a bug in its parser. Apache Kerby has an implementation that could be used. A native (C) version is also a possibility. 



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

---------------------------------------------------------------------
To unsubscribe, e-mail: common-issues-unsubscribe@hadoop.apache.org
For additional commands, e-mail: common-issues-help@hadoop.apache.org