Uploaded image for project: 'Hadoop Common'
  1. Hadoop Common
  2. HADOOP-15996

Plugin interface to support more complex usernames in Hadoop

VotersWatch issueWatchersCreate sub-taskLinkCloneUpdate Comment AuthorReplace String in CommentUpdate Comment VisibilityDelete Comments
    XMLWordPrintableJSON

Details

    • New Feature
    • Status: Resolved
    • Major
    • Resolution: Fixed
    • None
    • 3.2.0, 3.3.0, 3.1.2
    • security
    • None
    • Hide
      This patch enables "Hadoop" and "MIT" as options for "hadoop.security.auth_to_local.mechanism" and defaults to 'hadoop'. This should be backward compatible with pre-HADOOP-12751.

      This is basically HADOOP-12751 plus configurable + extended tests.
      Show
      This patch enables "Hadoop" and "MIT" as options for "hadoop.security.auth_to_local.mechanism" and defaults to 'hadoop'. This should be backward compatible with pre- HADOOP-12751 . This is basically HADOOP-12751 plus configurable + extended tests.

    Description

      Hadoop does not allow support of @ character in username in recent security mailing list vote to revert HADOOP-12751.  Hadoop auth_to_local rule must match to authorize user to login to Hadoop cluster.  This design does not work well in multi-realm environment where identical username between two realms do not map to the same user.  There is also possibility that lossy regex can incorrectly map users.  In the interest of supporting multi-realms, it maybe preferred to pass principal name without rewrite to uniquely distinguish users.  This jira is to revisit if Hadoop can support full principal names without rewrite and provide a plugin to override Hadoop's default implementation of auth_to_local for multi-realm use case.

      Attachments

        1. HADOOP-15996.0012.patch
          34 kB
          Bolke de Bruin
        2. HADOOP-15996.0011.patch
          35 kB
          Marton Elek
        3. HADOOP-15996.0010.patch
          35 kB
          Bolke de Bruin
        4. HADOOP-15996.0009.patch
          35 kB
          Bolke de Bruin
        5. HADOOP-15996.0008.patch
          35 kB
          Bolke de Bruin
        6. HADOOP-15996.0007.patch
          35 kB
          Bolke de Bruin
        7. HADOOP-15996.0006.patch
          33 kB
          Bolke de Bruin
        8. HADOOP-15996.0005.patch
          33 kB
          Bolke de Bruin
        9. 0005-HADOOP-15996-Make-auth-to-local-configurable.patch
          33 kB
          Bolke de Bruin
        10. 0004-HADOOP-15996-Make-auth-to-local-configurable.patch
          33 kB
          Bolke de Bruin
        11. 0003-HADOOP-15996-Make-auth-to-local-configurable.patch
          29 kB
          Bolke de Bruin
        12. 0002-HADOOP-15996-Make-auth-to-local-configurable.patch
          28 kB
          Bolke de Bruin
        13. 0001-Simple-trial-of-using-krb5.conf-for-auth_to_local-ru.patch
          3 kB
          Bolke de Bruin
        14. 0001-Make-allowing-or-configurable.patch
          29 kB
          Bolke de Bruin
        15. 0001-HADOOP-15996-Make-auth-to-local-configurable.patch
          24 kB
          Bolke de Bruin

        Issue Links

        Activity

          This comment will be Viewable by All Users Viewable by All Users
          Cancel

          People

            bolke Bolke de Bruin
            eyang Eric Yang
            Votes:
            0 Vote for this issue
            Watchers:
            12 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved:

              Slack

                Issue deployment