Description
Hadoop does not allow support of @ character in username in recent security mailing list vote to revert HADOOP-12751. Hadoop auth_to_local rule must match to authorize user to login to Hadoop cluster. This design does not work well in multi-realm environment where identical username between two realms do not map to the same user. There is also possibility that lossy regex can incorrectly map users. In the interest of supporting multi-realms, it maybe preferred to pass principal name without rewrite to uniquely distinguish users. This jira is to revisit if Hadoop can support full principal names without rewrite and provide a plugin to override Hadoop's default implementation of auth_to_local for multi-realm use case.
Attachments
Attachments
Issue Links
- is depended upon by
-
HADOOP-15922 DelegationTokenAuthenticationFilter get wrong doAsUser since it does not decode URL
- Resolved
-
HADOOP-16023 Support system /etc/krb5.conf for auth_to_local rules
- Open
- is related to
-
HADOOP-16031 TestSecureLogins#testValidKerberosName fails
- Resolved
- relates to
-
HADOOP-12751 While using kerberos Hadoop incorrectly assumes names with '@' to be non-simple
- Resolved
-
HADOOP-15959 revert HADOOP-12751
- Resolved