[HADOOP-11683] Need a plugin API to translate long principal names to local OS user names arbitrarily - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Improvement
Status: Patch Available
Priority: Major
Resolution: Unresolved
Affects Version/s: 2.6.0
Fix Version/s: None
Component/s: security
Labels:
None

Target Version/s:

2.6.6
Release Note:

Hide
The patch allows HadoopKerberosName to use a user name mapping pluggable API from parameter, hadoop.security.user.name.mapping, instead of the regular expression specified in parameter, hadoop.security.auth_to_local.

If user name is not found by the API or hadoop.security.user.mapping is not set, it will default back to hadoop.security.auth_to_local for compatibility.

Show
The patch allows HadoopKerberosName to use a user name mapping pluggable API from parameter, hadoop.security.user.name.mapping, instead of the regular expression specified in parameter, hadoop.security.auth_to_local. If user name is not found by the API or hadoop.security.user.mapping is not set, it will default back to hadoop.security.auth_to_local for compatibility.

Description

We need a plugin API to translate long principal names (e.g. john.doe@EXAMPLE.COM) to local OS user names (e.g. user123456) arbitrarily.

For some organizations the name translation is straightforward (e.g. john.doe@EXAMPLE.COM to john_doe), and the hadoop.security.auth_to_local configurable mapping is sufficient to resolve this (see ~~HADOOP-6526~~). However, in some other cases the name translation is arbitrary and cannot be generalized by a set of translation rules easily.

Attachments

- Sort By Name
- Sort By Date
- Ascending
- Descending

HADOOP-11683.003.patch
14/Oct/15 00:17
24 kB
roger mak
HADOOP-11683.002.patch
12/Oct/15 20:52
24 kB
roger mak
HADOOP-11683.001.patch
10/Aug/15 20:11
24 kB
roger mak

Activity

People

Assignee:: roger mak

Reporter:: Sunny Cheung

Votes:: 1 Vote for this issue

Watchers:: 15 Start watching this issue

Dates

Created:: 06/Mar/15 07:23

Updated:: 15/Dec/16 18:28