You are viewing a plain text version of this content. The canonical link for it is here.

Posted to common-issues@hadoop.apache.org by "Allen Wittenauer (JIRA)" <ji...@apache.org> on 2017/04/24 15:40:04 UTC

[jira] [Commented] (HADOOP-14229) hadoop.security.auth_to_local example is incorrect in the documentation

    [ https://issues.apache.org/jira/browse/HADOOP-14229?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15981381#comment-15981381 ] 

Allen Wittenauer commented on HADOOP-14229:
-------------------------------------------

I'm going to +1 with the caveat that this makes the docs a little more clear, but doesn't really solve a key problem:

{code}
$ bin/hadoop kerbname nn/host2.domain@REALM.TLD
Name: nn/host2.domain@REALM.TLD to hdfs
{code}

This is sort of hinted at in the docs:

{code}
The default rule maps the principal host/full.qualified.domain.name@REALM.TLD to system user host. The default rule will not be appropriate for most clusters.
{code}

It then goes on to provide the example rule which doesn't actually fix that warning and all clusters still have super user access on every other cluster in the same realm.  At which point it becomes clear the documentation is mostly an exercise in obfuscation.  You're better off just using hdfs/, yarn/, etc for daemons and avoid all this mapping baloney anyway (which is what most people that I know of do).


> hadoop.security.auth_to_local example is incorrect in the documentation
> -----------------------------------------------------------------------
>
>                 Key: HADOOP-14229
>                 URL: https://issues.apache.org/jira/browse/HADOOP-14229
>             Project: Hadoop Common
>          Issue Type: Bug
>            Reporter: Andras Bokor
>            Assignee: Andras Bokor
>         Attachments: HADOOP-14229.01.patch, HADOOP-14229.02.patch
>
>
> Let's see jhs as example:
> {code}RULE:[2:$1@$0](jhs/.*@.*REALM.TLD)s/.*/mapred/{code}
> That means principal has 2 components (jhs/myhost@REALM).
> The second column converts this to jhs@REALM. So the regex will not match on this since regex expects / in the principal.
> My suggestion is
> {code}RULE:[2:$1](jhs)s/.*/mapred/{code}
> https://hadoop.apache.org/docs/current/hadoop-project-dist/hadoop-common/SecureMode.html



--
This message was sent by Atlassian JIRA
(v6.3.15#6346)

---------------------------------------------------------------------
To unsubscribe, e-mail: common-issues-unsubscribe@hadoop.apache.org
For additional commands, e-mail: common-issues-help@hadoop.apache.org