You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@knox.apache.org by "Ruslan Dautkhanov (JIRA)" <ji...@apache.org> on 2019/02/10 18:42:00 UTC
[jira] [Created] (KNOX-1765) option to append @realm to usernames
Ruslan Dautkhanov created KNOX-1765:
---------------------------------------
Summary: option to append @realm to usernames
Key: KNOX-1765
URL: https://issues.apache.org/jira/browse/KNOX-1765
Project: Apache Knox
Issue Type: Improvement
Components: Server
Affects Versions: 1.2.0, 1.1.0
Reporter: Ruslan Dautkhanov
We'd like Hadoop to map user names to short names.
For auth_to_local to work, @realm part is mandatory.
For example, Apache Knox if authenticates users using LDAP,
and then sends requests over to Livy, doesn't append realm.
It seems we could duplicate rules from Hadoop's auth_to_local
using `livy.server.auth.kerberos.name_rules` but it doesn't work
for the same reason on Livy side.
Spin-off from https://issues.apache.org/jira/browse/LIVY-548
as it seems Knox is the right place for this fix (as other endpoints like
HDFS, Hive access would need similar mappings).
Hadoop code says opposite - there is an explicit check - if
realm is empty, auth_to_local rules are not applied
[https://github.com/apache/hadoop/blob/release-2.7.1/hadoop-common-project/hadoop-auth/src/main/java/org/apache/hadoop/security/authentication/util/KerberosName.java#L376]
rules application starts down below on line 383
so it never reaches rules transformations loop if realm is empty.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)