Uploaded image for project: 'Ambari'
  1. Ambari
  2. AMBARI-11687

Kerberos: Force principal names to resolve to lowercase lower usernames in auth-to-local default rules

Details

    • Bug
    • Status: Resolved
    • Critical
    • Resolution: Fixed
    • 2.0.1
    • 2.1.0
    • ambari-server
    • None

    Description

      Force principals names to resolve to lowercase local usernames in auth-to-local rules. This will help when the KDC is an MIT KDC or an Active Directory and user accounts have uppercase letters that need to be converted to lowercase letters. For example: USER1234@REALM should resolve to user1234.

      Solution

      1. Provide a kerberos-env configuration to optionally create case-insensitive rules
      2. If creating case-insensitive rules, generic auth-to-local rules should contain the L option, as in:
        RULE:[1:$1@$0](.*@REALM)s/@.*///L
        

      Attachments

        1. AMBARI-11687_02.patch
          7 kB
          Emil Anca
        2. AMBARI-11687_03.patch
          8 kB
          Emil Anca
        3. AMBARI-11687.patch
          26 kB
          Emil Anca

        Issue Links

          Activity

            hadoopqa Hadoop QA added a comment -

            -1 overall. Here are the results of testing the latest attachment
            http://issues.apache.org/jira/secure/attachment/12737949/AMBARI-11687_02.patch
            against trunk revision .

            +1 @author. The patch does not contain any @author tags.

            +1 tests included. The patch appears to include 2 new or modified test files.

            +1 javac. The applied patch does not increase the total number of javac compiler warnings.

            +1 release audit. The applied patch does not increase the total number of release audit warnings.

            -1 core tests. The test build failed in ambari-server

            Test results: https://builds.apache.org/job/Ambari-trunk-test-patch/3055//testReport/
            Console output: https://builds.apache.org/job/Ambari-trunk-test-patch/3055//console

            This message is automatically generated.

            hadoopqa Hadoop QA added a comment - -1 overall . Here are the results of testing the latest attachment http://issues.apache.org/jira/secure/attachment/12737949/AMBARI-11687_02.patch against trunk revision . +1 @author . The patch does not contain any @author tags. +1 tests included . The patch appears to include 2 new or modified test files. +1 javac . The applied patch does not increase the total number of javac compiler warnings. +1 release audit . The applied patch does not increase the total number of release audit warnings. -1 core tests . The test build failed in ambari-server Test results: https://builds.apache.org/job/Ambari-trunk-test-patch/3055//testReport/ Console output: https://builds.apache.org/job/Ambari-trunk-test-patch/3055//console This message is automatically generated.
            hadoopqa Hadoop QA added a comment -

            +1 overall. Here are the results of testing the latest attachment
            http://issues.apache.org/jira/secure/attachment/12738548/AMBARI-11687_03.patch
            against trunk revision .

            +1 @author. The patch does not contain any @author tags.

            +1 tests included. The patch appears to include 2 new or modified test files.

            +1 javac. The applied patch does not increase the total number of javac compiler warnings.

            +1 release audit. The applied patch does not increase the total number of release audit warnings.

            +1 core tests. The patch passed unit tests in ambari-server.

            Test results: https://builds.apache.org/job/Ambari-trunk-test-patch/3111//testReport/
            Console output: https://builds.apache.org/job/Ambari-trunk-test-patch/3111//console

            This message is automatically generated.

            hadoopqa Hadoop QA added a comment - +1 overall . Here are the results of testing the latest attachment http://issues.apache.org/jira/secure/attachment/12738548/AMBARI-11687_03.patch against trunk revision . +1 @author . The patch does not contain any @author tags. +1 tests included . The patch appears to include 2 new or modified test files. +1 javac . The applied patch does not increase the total number of javac compiler warnings. +1 release audit . The applied patch does not increase the total number of release audit warnings. +1 core tests . The patch passed unit tests in ambari-server. Test results: https://builds.apache.org/job/Ambari-trunk-test-patch/3111//testReport/ Console output: https://builds.apache.org/job/Ambari-trunk-test-patch/3111//console This message is automatically generated.
            rlevas Robert Levas added a comment -

            Committed to trunk

            commit e71784299a526d8fa11d5430cc82aa9080c768d0
            Author: Emil Anca <eanca@hortonworks.com>
            Date:   Tue Jun 9 11:20:56 2015 -0400
            

            Committed to branch-2.1

            commit 24001f1d50f15fd8d6647e78047c046fc717838c
            Author: Emil Anca <eanca@hortonworks.com>
            Date:   Tue Jun 9 11:21:58 2015 -0400
            
            rlevas Robert Levas added a comment - Committed to trunk commit e71784299a526d8fa11d5430cc82aa9080c768d0 Author: Emil Anca <eanca@hortonworks.com> Date: Tue Jun 9 11:20:56 2015 -0400 Committed to branch-2.1 commit 24001f1d50f15fd8d6647e78047c046fc717838c Author: Emil Anca <eanca@hortonworks.com> Date: Tue Jun 9 11:21:58 2015 -0400
            hudson Hudson added a comment -

            SUCCESS: Integrated in Ambari-trunk-Commit #2867 (See https://builds.apache.org/job/Ambari-trunk-Commit/2867/)
            AMBARI-11687. Kerberos: Force principal names to resolve to lowercase lower usernames in auth-to-local default rules (Emil Anca via rlevas) (rlevas: http://git-wip-us.apache.org/repos/asf?p=ambari.git&a=commit&h=e71784299a526d8fa11d5430cc82aa9080c768d0)

            • ambari-server/src/main/java/org/apache/ambari/server/controller/AuthToLocalBuilder.java
            • ambari-server/src/main/resources/common-services/KERBEROS/1.10.3-10/configuration/kerberos-env.xml
            • ambari-server/src/test/java/org/apache/ambari/server/controller/AuthToLocalBuilderTest.java
            • ambari-server/src/test/java/org/apache/ambari/server/controller/KerberosHelperTest.java
            • ambari-web/app/data/HDP2/site_properties.js
            • ambari-server/src/main/java/org/apache/ambari/server/controller/KerberosHelperImpl.java
            hudson Hudson added a comment - SUCCESS: Integrated in Ambari-trunk-Commit #2867 (See https://builds.apache.org/job/Ambari-trunk-Commit/2867/ ) AMBARI-11687 . Kerberos: Force principal names to resolve to lowercase lower usernames in auth-to-local default rules (Emil Anca via rlevas) (rlevas: http://git-wip-us.apache.org/repos/asf?p=ambari.git&a=commit&h=e71784299a526d8fa11d5430cc82aa9080c768d0 ) ambari-server/src/main/java/org/apache/ambari/server/controller/AuthToLocalBuilder.java ambari-server/src/main/resources/common-services/KERBEROS/1.10.3-10/configuration/kerberos-env.xml ambari-server/src/test/java/org/apache/ambari/server/controller/AuthToLocalBuilderTest.java ambari-server/src/test/java/org/apache/ambari/server/controller/KerberosHelperTest.java ambari-web/app/data/HDP2/site_properties.js ambari-server/src/main/java/org/apache/ambari/server/controller/KerberosHelperImpl.java

            People

              eanca Emil Anca
              eanca Emil Anca
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: