Uploaded image for project: 'Hadoop Common'
  1. Hadoop Common
  2. HADOOP-16023

Support system /etc/krb5.conf for auth_to_local rules

    XMLWordPrintableJSON

Details

    • Improvement
    • Status: Open
    • Major
    • Resolution: Unresolved
    • None
    • None
    • None
    • security

    Description

      Hadoop has long maintained its own configuration for Kerberos' auth_to_local rules. To the user this is counter intuitive and increases the complexity of maintaining a secure system as the normal way of configuring these auth_to_local rules is done in the site wide krb5.conf usually /etc/krb5.conf.

      With HADOOP-15996 there is now support for configuring how Hadoop should evaluate auth_to_local rules. A "system" mechanism should be added.

      It should be investigated how to properly parse krb5.conf. JDK seems to be lacking as it is unable to obtain auth_to_local rules due to a bug in its parser. Apache Kerby has an implementation that could be used. A native (C) version is also a possibility.

      Attachments

        Issue Links

          depends upon

          Bug - A problem which impairs or prevents the functions of the product. DIRKRB-730 Unable to parse krb5.conf rules due to java.lang.IndexOutOfBoundsException

          • Major - Major loss of function.
          • Closed

          New Feature - A new feature of the product, which has yet to be developed. HADOOP-15996 Plugin interface to support more complex usernames in Hadoop

          • Major - Major loss of function.
          • Resolved

          Activity

            People

              bolke Bolke de Bruin
              bolke Bolke de Bruin
              Votes:
              0 Vote for this issue
              Watchers:
              5 Start watching this issue

              Dates

                Created:
                Updated: