You are viewing a plain text version of this content. The canonical link for it is here.

Posted to common-issues@hadoop.apache.org by "Alejandro Abdelnur (JIRA)" <ji...@apache.org> on 2014/05/01 07:59:16 UTC

[jira] [Commented] (HADOOP-10556) Add toLowerCase support to auth_to_local rules for service name

    [ https://issues.apache.org/jira/browse/HADOOP-10556?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13986375#comment-13986375 ] 

Alejandro Abdelnur commented on HADOOP-10556:
---------------------------------------------

Adding a /L option (similar to the existing /g) we could handle lowercasing.

Because Java regexs don’t support /L (http://docs.oracle.com/javase/7/docs/api/java/util/regex/Pattern.html), we will have to handle that explicitly in the KerberosName rules handling logic.


> Add toLowerCase support to auth_to_local rules for service name
> ---------------------------------------------------------------
>
>                 Key: HADOOP-10556
>                 URL: https://issues.apache.org/jira/browse/HADOOP-10556
>             Project: Hadoop Common
>          Issue Type: Improvement
>          Components: security
>    Affects Versions: 2.4.0
>            Reporter: Alejandro Abdelnur
>            Assignee: Alejandro Abdelnur
>
> When using Vintela to integrate Linux with AD, principals are lowercased. If the accounts in AD have uppercase characters (ie FooBar) the Kerberos principals have also uppercase characters (ie FooBar/<HOST>). Because of this, when a service (Yarn/HDFS) extracts the service name from the Kerberos principal (FooBar) and uses it for obtain groups the user is not found because via Linux the user FooBar is unknown, it has been converted to foobar.



--
This message was sent by Atlassian JIRA
(v6.2#6252)