[jira] [Commented] (HADOOP-12751) While using kerberos Hadoop incorrectly assumes names with '@' to be non-simple

Sun, 31 Jan 2016 13:08:58 -0800 

    [ 
https://issues.apache.org/jira/browse/HADOOP-12751?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15125508#comment-15125508
 ] 

Bolke de Bruin commented on HADOOP-12751:
-----------------------------------------

Sure I understand the general concern, but I have difficulty grasping the use 
case. Firstly, this goes for kerberized clusters which are not as widespread 
although picking up. Secondly, there would need to be code that relies on an 
exception to do something meaningful afterwards.

We are running this patch now in our test environment. Although coming by a 
system that does create users with a '/' is hard to come by, I think I can come 
up with something (making sssd return this kind of users). Maybe give it a week 
or so and then I report back?

> While using kerberos Hadoop incorrectly assumes names with '@' to be 
> non-simple
> -------------------------------------------------------------------------------
>
>                 Key: HADOOP-12751
>                 URL: https://issues.apache.org/jira/browse/HADOOP-12751
>             Project: Hadoop Common
>          Issue Type: Bug
>          Components: security
>    Affects Versions: 2.7.2
>            Reporter: Bolke de Bruin
>            Priority: Critical
>              Labels: kerberos
>         Attachments: 0001-HADOOP-12751-leave-user-validation-to-os.patch, 
> 0002-HADOOP-12751-leave-user-validation-to-os.patch, 
> 0003-HADOOP-12751-leave-user-validation-to-os.patch, 
> 0004-HADOOP-12751-leave-user-validation-to-os.patch
>
>
> In the scenario of a trust between two directories, eg. FreeIPA (ipa.local) 
> and Active Directory (ad.local) users can be made available on the OS level 
> by something like sssd. The trusted users will be of the form 'user@ad.local' 
> while other users are will not contain the domain. Executing 'id -Gn 
> user@ad.local' will successfully return the groups the user belongs to if 
> configured correctly. 
> However, it is assumed by Hadoop that users of the format with '@' cannot be 
> correct. This code is in KerberosName.java and seems to be a validator if the 
> 'auth_to_local' rules are applied correctly.
> In my opinion this should be removed or changed to a different kind of check 
> or maybe logged as a warning while still proceeding, as the current behavior 
> limits integration possibilities with other standard tools.
> Workaround are difficult to apply (by having a rewrite by system tools to for 
> example user_ad_local) due to down stream consequences.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to