You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@knox.apache.org by "Ruslan Dautkhanov (JIRA)" <ji...@apache.org> on 2019/02/10 18:42:00 UTC

[jira] [Created] (KNOX-1765) option to append @realm to usernames

Ruslan Dautkhanov created KNOX-1765:
---------------------------------------

             Summary: option to append @realm to usernames
                 Key: KNOX-1765
                 URL: https://issues.apache.org/jira/browse/KNOX-1765
             Project: Apache Knox
          Issue Type: Improvement
          Components: Server
    Affects Versions: 1.2.0, 1.1.0
            Reporter: Ruslan Dautkhanov


We'd like Hadoop to map user names to short names. 
 
For auth_to_local to work, @realm part is mandatory. 
 
For example, Apache Knox if authenticates users using LDAP, 
and then sends requests over to Livy, doesn't append realm. 
 
It seems we could duplicate rules from Hadoop's auth_to_local
using `livy.server.auth.kerberos.name_rules` but it doesn't work
for the same reason on Livy side.

Spin-off from https://issues.apache.org/jira/browse/LIVY-548
as it seems Knox is the right place for this fix (as other endpoints like 
HDFS, Hive access would need similar mappings).
Hadoop code says opposite - there is an explicit check - if 
realm is empty, auth_to_local rules are not applied
 
[https://github.com/apache/hadoop/blob/release-2.7.1/hadoop-common-project/hadoop-auth/src/main/java/org/apache/hadoop/security/authentication/util/KerberosName.java#L376]
 
rules application starts down below on line 383
 
so it never reaches rules transformations loop if realm is empty. 
 



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)