You are viewing a plain text version of this content. The canonical link for it is here.

Posted to common-issues@hadoop.apache.org by "Steve Loughran (Jira)" <ji...@apache.org> on 2022/12/14 12:19:00 UTC

[jira] [Created] (HADOOP-18573) Improve error reporting on non-standard kerberos names

Steve Loughran created HADOOP-18573:
---------------------------------------

             Summary: Improve error reporting on non-standard kerberos names
                 Key: HADOOP-18573
                 URL: https://issues.apache.org/jira/browse/HADOOP-18573
             Project: Hadoop Common
          Issue Type: Improvement
          Components: security
    Affects Versions: 3.3.4
            Reporter: Steve Loughran
            Assignee: Steve Loughran



The kerberos RFC does not declare any restriction on
characters used in kerberos names, though
implementations MAY be more restrictive.

If the kerberos controller supports use non-conventional
user names *and the kerberos admin chooses to use them*
this can confuse some of the parsing.

The obvious solution is for the enterprise admins to "not do that"
as a lot of things break, bits of hadoop included.

Harden the hadoop code slightly so at least we fail more gracefully,
so people can then get in touch with their sysadmin and tell them
to stop it.

Note: given the kerberos admin is implicitly a superuser being able to 
doesn't give them any privileges, just offers a different way
to stop the cluster working.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

---------------------------------------------------------------------
To unsubscribe, e-mail: common-issues-unsubscribe@hadoop.apache.org
For additional commands, e-mail: common-issues-help@hadoop.apache.org