You are viewing a plain text version of this content. The canonical link for it is here.
Posted to common-issues@hadoop.apache.org by "Sunny Cheung (JIRA)" <ji...@apache.org> on 2015/03/06 08:29:38 UTC
[jira] [Commented] (HADOOP-11683) Need a plugin API to translate
long principal names to local OS user names arbitrarily
[ https://issues.apache.org/jira/browse/HADOOP-11683?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14350066#comment-14350066 ]
Sunny Cheung commented on HADOOP-11683:
---------------------------------------
Our problem is that normal user principal names can be very different from their Unix login. Some customers simply have arbitrary mapping between their Kerberos principals and Unix user accounts. For example, one customer has over 200K users on AD with Kerberos principals in format "<first name>.<last name>@REALM" (e.g. john.doe@EXAMPLE.COM). But their Unix names are in format "user<ID>" or just "<ID>" (e.g. user123456, 123456).
So, when Kerberos security is enabled on Hadoop clusters, how should we configure to authenticate these users from Hadoop clients?
The current way is to use the hadoop.security.auth_to_local setting, e.g. from core-site.xml:
<property>
<name>hadoop.security.auth_to_local</name>
<value>
RULE:[2:$1@$0]([jt]t@.*EXAMPLE.COM)s/.*/mapred/
RULE:[2:$1@$0]([nd]n@.*EXAMPLE.COM)s/.*/hdfs/
RULE:[2:$1@$0](hm@.*EXAMPLE.COM)s/.*/hbase/
RULE:[2:$1@$0](rs@.*EXAMPLE.COM)s/.*/hbase/
DEFAULT</value>
<description>The mapping from kerberos principal names
to local OS user names.</description> </property>
These name translation rules can handle cases like mapping service accounts' principals (e.g. nn/<host>@REALM or dn/<host>@REALM to hdfs). But that is not scalable for normal users. There are just too many users to handle (as compared to the finite amount of service accounts).
Therefore, we would like to ask if alternative name resolution plugin interface can be supported by Hadoop. It could be similar to the way alternative authentication plugin is supported for HTTP web-consoles [1]:
<property>
<name>hadoop.http.authentication.type</name>
<value>org.my.subclass.of.AltKerberosAuthenticationHandler</value>
</property>
And the plugin interface can be as simple as this function (error handling ignored here):
String auth_to_local (String krb5Principal) {
...
return unixName;
}
If this plugin interface is supported by Hadoop, then everyone can provide a plugin to support arbitrary mapping. This will be extremely useful when administrators need to tighten security on Hadoop with existing Kerberos infrastructure.
References:
[1] Authentication for Hadoop HTTP web-consoles http://hadoop.apache.org/docs/current/hadoop-project-dist/hadoop-common/HttpAuthentication.html
> Need a plugin API to translate long principal names to local OS user names arbitrarily
> --------------------------------------------------------------------------------------
>
> Key: HADOOP-11683
> URL: https://issues.apache.org/jira/browse/HADOOP-11683
> Project: Hadoop Common
> Issue Type: Improvement
> Components: security
> Reporter: Sunny Cheung
>
> We need a plugin API to translate long principal names (e.g. john.doe@EXAMPLE.COM) to local OS user names (e.g. user123456) arbitrarily.
> For some organizations the name translation is straightforward (e.g. john.doe@EXAMPLE.COM to john_doe), and the hadoop.security.auth_to_local configurable mapping is sufficient to resolve this (see HADOOP-6526). However, in some other cases the name translation is arbitrary and cannot be generalized by a set of translation rules easily.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)