[jira] [Commented] (HADOOP-12751) While using kerberos Hadoop incorrectly assumes names with '@' to be non-simple

["Hudson (JIRA)" <ji...@apache.org>]

    [ https://issues.apache.org/jira/browse/HADOOP-12751?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16703599#comment-16703599 ] 

Hudson commented on HADOOP-12751:
---------------------------------

SUCCESS: Integrated in Jenkins build Hadoop-trunk-Commit #15529 (See [https://builds.apache.org/job/Hadoop-trunk-Commit/15529/])
HADOOP-15959. Revert "HADOOP-12751. While using kerberos Hadoop (stevel: rev d0edd37269bb40290b409d583bcf3b70897c13e0)
* (edit) hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/security/TestUserGroupInformation.java
* (edit) hadoop-common-project/hadoop-auth/src/test/java/org/apache/hadoop/security/authentication/server/TestKerberosAuthenticationHandler.java
* (edit) hadoop-common-project/hadoop-auth/src/test/java/org/apache/hadoop/security/authentication/util/TestKerberosName.java
* (edit) hadoop-common-project/hadoop-auth/src/main/java/org/apache/hadoop/security/authentication/util/KerberosName.java
* (edit) hadoop-common-project/hadoop-common/src/site/markdown/SecureMode.md
* (edit) hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/KDiag.java
* (edit) hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/security/TestKDiag.java


> While using kerberos Hadoop incorrectly assumes names with '@' to be non-simple
> -------------------------------------------------------------------------------
>
>                 Key: HADOOP-12751
>                 URL: https://issues.apache.org/jira/browse/HADOOP-12751
>             Project: Hadoop Common
>          Issue Type: Bug
>          Components: security
>    Affects Versions: 2.7.2
>         Environment: kerberos
>            Reporter: Bolke de Bruin
>            Assignee: Bolke de Bruin
>            Priority: Critical
>              Labels: kerberos
>             Fix For: 2.8.0, 3.0.0-alpha1, 2.7.6
>
>         Attachments: 0001-HADOOP-12751-leave-user-validation-to-os.patch, 0001-Remove-check-for-user-name-characters-and.patch, 0002-HADOOP-12751-leave-user-validation-to-os.patch, 0003-HADOOP-12751-leave-user-validation-to-os.patch, 0004-HADOOP-12751-leave-user-validation-to-os.patch, 0005-HADOOP-12751-leave-user-validation-to-os.patch, 0006-HADOOP-12751-leave-user-validation-to-os.patch, 0007-HADOOP-12751-leave-user-validation-to-os.patch, 0007-HADOOP-12751-leave-user-validation-to-os.patch, 0008-HADOOP-12751-leave-user-validation-to-os.patch, 0008-HADOOP-12751-leave-user-validation-to-os.patch, HADOOP-12751-009.patch, HADOOP-12751-branch-2.7.009.patch
>
>
> In the scenario of a trust between two directories, eg. FreeIPA (ipa.local) and Active Directory (ad.local) users can be made available on the OS level by something like sssd. The trusted users will be of the form 'user@ad.local' while other users are will not contain the domain. Executing 'id -Gn user@ad.local' will successfully return the groups the user belongs to if configured correctly. 
> However, it is assumed by Hadoop that users of the format with '@' cannot be correct. This code is in KerberosName.java and seems to be a validator if the 'auth_to_local' rules are applied correctly.
> In my opinion this should be removed or changed to a different kind of check or maybe logged as a warning while still proceeding, as the current behavior limits integration possibilities with other standard tools.
> Workaround are difficult to apply (by having a rewrite by system tools to for example user_ad_local) due to down stream consequences.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

---------------------------------------------------------------------
To unsubscribe, e-mail: common-issues-unsubscribe@hadoop.apache.org
For additional commands, e-mail: common-issues-help@hadoop.apache.org