You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@kudu.apache.org by "Adar Dembo (Jira)" <ji...@apache.org> on 2019/09/24 17:41:00 UTC

[jira] [Created] (KUDU-2953) Document Kerberos auth_to_local behavior

Adar Dembo created KUDU-2953:
--------------------------------

             Summary: Document Kerberos auth_to_local behavior
                 Key: KUDU-2953
                 URL: https://issues.apache.org/jira/browse/KUDU-2953
             Project: Kudu
          Issue Type: Improvement
          Components: documentation, security
    Affects Versions: 1.11.0
            Reporter: Adar Dembo


We should document how Kudu maps Kerberos principals to local (short) usernames.

Unlike other Hadoop ecosystem components, Kudu doesn't support any custom mappings of its own. Instead, it defers to the Kerberos library itself, which may map principals depending on some [krb5.conf configuration|https://web.mit.edu/kerberos/krb5-1.12/doc/admin/conf_files/krb5_conf.html#realms]. If krb5 doesn't map a particular principal, Kudu will convert into a username by taking the first component of the principal.

krb5-based mapping may be disabled by setting {{--use_system_auth_to_local}} to false, in which case Kudu will always use the automatic conversion described above.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)