You are viewing a plain text version of this content. The canonical link for it is here.
Posted to common-issues@hadoop.apache.org by "Owen O'Malley (JIRA)" <ji...@apache.org> on 2010/03/07 21:00:27 UTC
[jira] Updated: (HADOOP-6526) Need mapping from long principal
names to local OS user names
[ https://issues.apache.org/jira/browse/HADOOP-6526?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Owen O'Malley updated HADOOP-6526:
----------------------------------
Attachment: c-6526.patch
Ok, after some investigation I wasn't happy.
1. The Java Kerberos library doesn't export their auth_to_local rule translation.
2. The Java Kerberos library has bugs (ie. simplifications) that mean they skip over the auth_to_local rules in their parsing of the Kerberos config file.
So here is some code where you can cut and paste the rules from your krb5.conf's auth_to_local rules into core-site.xml. The downside is that the best documentation for those rules are in an_to_ln.c. *sigh*
So the default rule is just "DEFAULT" which takes all principals in your default domain to their first component. "omalley@APACHE.ORG" and "omalley/admin@APACHE.ORG" to "omalley", if your default domain is APACHE.ORG.
The translations rules have 3 sections:
<base><filter><substitution>
The base consists of a number that represents the number of components in the principal name excluding the realm and the pattern for building the name from the sections of the principal name. The base uses $0 to mean the realm, $1 to mean the first component and $2 to mean the second component.
[1:$1@$0] translates "omalley@APACHE.ORG" to "omalley@APACHE.ORG"
[2:$1] translates "omalley/admin@APACHE.ORG" to "omalley"
[2:$1%$2] translates "omalley/admin@APACHE.ORG" to "omalley%admin"
The filter is a regex in parens that must the generated string for the rule to apply.
"(.*%admin)" will take any string that ends in "%admin"
"(.*@ACME.COM)" will take any string that ends in "@ACME.COM"
Finally, the substitution is a sed rule to translate a regex into a fixed string.
"s/@ACME\.COM//" removes the first instance of "@ACME.COM".
"s/@[A-Z]*\.COM//" removes the first instance of "@" followed by a name followed by ".COM".
"s/X/Y/g" replaces all of the "X" in the name with "Y"
So, if your default realm was APACHE.ORG, but you also wanted to take all principals from ACME.COM that had a single component "joe@ACME.COM", you'd do:
RULE:[1:$1@$0](.*@ACME.ORG)s/@.*//
DEFAULT
To also translate the names with a second component, you'd make the rules:
RULE:[1:$1@$0](.*@ACME.ORG)s/@.*//
RULE:[2:$1@$0](.*@ACME.ORG)s/@.*//
DEFAULT
If you want to treat all principals from APACHE.ORG with /admin as "admin", your rules would look like:
RULE[2:$1%$2@$0](.*%admin@APACHE.ORG)s/.*/admin/
DEFAULT
> Need mapping from long principal names to local OS user names
> -------------------------------------------------------------
>
> Key: HADOOP-6526
> URL: https://issues.apache.org/jira/browse/HADOOP-6526
> Project: Hadoop Common
> Issue Type: Improvement
> Components: security
> Reporter: Owen O'Malley
> Assignee: Owen O'Malley
> Attachments: c-6526.patch
>
>
> We need a configurable mapping from full user names (eg. omalley@APACHE.ORG) to local user names (eg. omalley). For many organizations it is sufficient to just use the prefix, however, in the case of shared clusters there may be duplicated prefixes. A configurable mapping will let administrators resolve the issue.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.