[AMBARI-16023] Auth-to-local rule generation duplicates default rules when adding case-insensitive default rules - ASF JIRA

Attach files

Attach Screenshot

Voters

Watch issue

Watchers

Create sub-task

Link

Clone

Update Comment Author

Replace String in Comment

Update Comment Visibility

Delete Comments

XML

Word

Printable

JSON

Details

Type: Bug
Status: Resolved
Priority: Critical
Resolution: Fixed
Affects Version/s: 2.2.0
Fix Version/s: 2.4.0
Component/s: ambari-server
Labels:
- auth_to_local
- kerberos

Description

When re-generating auth-to-local rules where existing rules are already set, the default (or fallback) rule for the default and additional realms is duplicated but the extra instance(s) have the case-insensitive flag:

Example:

Was

...
RULE:[1:$1@$0](.*@EXAMPLE.COM)s/@.*//
...

Becomes

...
RULE:[1:$1@$0](.*@EXAMPLE.COM)s/@.*//
RULE:[1:$1@$0](.*@EXAMPLE.COM)s/@.*///L
...

Steps to Reproduce

Create cluster with (at least) HDFS
Enable Kerberos (do not check the box next to "Enable case insensitive username rules"; kerberos-env/case_insensitive_username_rules should be false
Edit Kerberos configuration and check "Enable case insensitive username rules" to set kerberos-env/case_insensitive_username_rules to true
Regenerate Keytabs
See duplicate entry in HDFS configs (core-site/hadoop.security.auth_to_local)